9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d

Analysis

max time kernel
38s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 13:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

JKT48.exe
Size

8.0MB
MD5

41f5bac802f5e79dc2ca7a3db25d0001
SHA1

ce56c42cadd2db13edf03c15ce3b11c2cfa00f9e
SHA256

9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d
SHA512

94705e83ce1b104954be07210ea3648c7403a6dd86ebaf6e884ced1552636b6a05a3b2926415d6c49ff251a675815435e4b2a3c8f816bbbf68c08c3299db99ab
SSDEEP

196608:PF35AX/ip4e/aS3e+gr80KILDjhoOX9oeqZ8r8swzH0e:d3KX/o4eSTr80xHhJ8s63

Score

10^/10

bootkit defense_evasion discovery evasion execution exploit impact persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	JKT48.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	JKT48.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 32 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe\Debugger = "*/"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	JKT48.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
5060	Process not Found
5572	Process not Found
3088	takeown.exe
4296	takeown.exe
3492	icacls.exe
3028	takeown.exe
5144	takeown.exe
5916	Process not Found
5896	Process not Found
1536	icacls.exe
2332	icacls.exe
2400	takeown.exe
64	takeown.exe
4000	takeown.exe
3500	takeown.exe
5992	Process not Found
3288	Process not Found
3176	icacls.exe
3788	icacls.exe
5884	Process not Found
6076	Process not Found
6012	Process not Found
992	Process not Found
2976	icacls.exe
2540	takeown.exe
2068	icacls.exe
5808	takeown.exe
1612	Process not Found
5872	Process not Found
2336	icacls.exe
1100	icacls.exe
5732	icacls.exe
6000	icacls.exe
968	takeown.exe
3520	icacls.exe
5764	takeown.exe
4004	icacls.exe
4428	icacls.exe
6076	takeown.exe
5740	icacls.exe
5880	Process not Found
3088	takeown.exe
3820	icacls.exe
2020	takeown.exe
3656	icacls.exe
5060	icacls.exe
4000	icacls.exe
5700	takeown.exe
5144	icacls.exe
1380	takeown.exe
4544	icacls.exe
996	takeown.exe
1632	takeown.exe
5736	Process not Found
5952	Process not Found
1424	Process not Found
1556	takeown.exe
968	icacls.exe
6096	icacls.exe
5868	Process not Found
3524	takeown.exe
1232	takeown.exe
3224	icacls.exe
4000	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	JKT48.exe

Loads dropped DLL 1 IoCs

pid	Process
1788	Process not Found

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5020	takeown.exe
3124	icacls.exe
4612	icacls.exe
1696	takeown.exe
3500	takeown.exe
3520	takeown.exe
2020	icacls.exe
304	takeown.exe
4708	icacls.exe
2432	icacls.exe
4932	icacls.exe
6124	takeown.exe
5648	icacls.exe
5984	icacls.exe
4968	icacls.exe
1312	icacls.exe
6084	icacls.exe
3084	takeown.exe
2396	takeown.exe
2448	takeown.exe
4424	takeown.exe
2820	icacls.exe
1840	takeown.exe
3500	takeown.exe
5628	Process not Found
3880	icacls.exe
1900	takeown.exe
2136	takeown.exe
2400	takeown.exe
1392	icacls.exe
5732	icacls.exe
1436	icacls.exe
5096	icacls.exe
3492	takeown.exe
272	icacls.exe
5840	Process not Found
1628	Process not Found
5692	Process not Found
5372	Process not Found
2148	icacls.exe
1776	icacls.exe
872	takeown.exe
2068	icacls.exe
2332	icacls.exe
5060	icacls.exe
3176	takeown.exe
5148	takeown.exe
4588	icacls.exe
4448	icacls.exe
4452	takeown.exe
3480	takeown.exe
3028	takeown.exe
5992	icacls.exe
836	icacls.exe
5144	takeown.exe
5244	takeown.exe
2148	takeown.exe
2628	takeown.exe
3320	icacls.exe
3028	icacls.exe
5684	takeown.exe
5732	Process not Found
5732	Process not Found
4364	takeown.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JKT48.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\windows\syswow64\perfmon.msc	JKT48.exe
File created	C:\windows\syswow64\sethc.exe	JKT48.exe
File created	C:\windows\system32\reg.exe	JKT48.exe
File created	C:\windows\system32\taskkill.exe	JKT48.exe
File created	C:\windows\system32\msconfig.exe	JKT48.exe
File created	C:\windows\system32\perfmon.msc	JKT48.exe
File created	C:\windows\system32\hal.dll	JKT48.exe
File created	C:\windows\system32\ntoskrnl.exe	JKT48.exe
File created	C:\windows\syswow64\cmd.exe	JKT48.exe
File created	C:\windows\syswow64\taskkill.exe	JKT48.exe
File created	C:\windows\system32\utilman.exe	JKT48.exe
File created	C:\windows\system32\sethc.exe	JKT48.exe
File created	C:\windows\system32\perfmon.exe	JKT48.exe
File created	C:\windows\system32\resmon.exe	JKT48.exe
File created	C:\windows\system32\rundll32.exe	JKT48.exe
File created	C:\windows\system32\winload.exe	JKT48.exe
File created	C:\windows\syswow64\rundll32.exe	JKT48.exe
File created	C:\windows\system32\cmd.exe	JKT48.exe
File created	C:\windows\system32\taskmgr.exe	JKT48.exe
File created	C:\windows\syswow64\taskmgr.exe	JKT48.exe
File created	C:\windows\syswow64\utilman.exe	JKT48.exe
File created	C:\windows\syswow64\resmon.exe	JKT48.exe
File created	C:\windows\system32\sfc.exe	JKT48.exe
File created	C:\windows\syswow64\reg.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.exe	JKT48.exe
File created	C:\windows\syswow64\sfc.exe	JKT48.exe
File created	C:\windows\system32\logonui.exe	JKT48.exe
File created	C:\windows\system32\rstrui.exe	JKT48.exe
File created	C:\windows\syswow64\regedit.exe	JKT48.exe

Drops file in Program Files directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\RCX837B.tmp	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\RCXC06A.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\460326131	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\dotnet\210122811	JKT48.exe
File opened for modification	C:\Program Files\dotnet\RCX9E57.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\RCX9E58.tmp	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXBE75.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\564160241	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\530725327	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\325309509	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\850299318	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\RCXC389.tmp	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\210122811	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\RCXC06B.tmp	JKT48.exe
File created	C:\Program Files\Internet Explorer\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\RCX7DCB.tmp	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\7-Zip\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\7-Zip\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\RCX837A.tmp	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\530725327	JKT48.exe
File created	C:\Program Files\dotnet\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\564160241	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\RCXC38A.tmp	JKT48.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\850299318	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\460326131	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\RCX7DDC.tmp	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\325309509	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXBE74.tmp	JKT48.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\regedit.exe	JKT48.exe
File created	C:\windows\servicing\trustedinstaller.exe	JKT48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1424	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1416	JKT48.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	JKT48.exe
Token: SeDebugPrivilege	1416	JKT48.exe
Token: SeIncBasePriorityPrivilege	1416	JKT48.exe
Token: SeTakeOwnershipPrivilege	2136	takeown.exe
Token: SeTakeOwnershipPrivilege	3484	takeown.exe
Token: SeTakeOwnershipPrivilege	3224	takeown.exe
Token: SeTakeOwnershipPrivilege	4684	takeown.exe
Token: SeTakeOwnershipPrivilege	1556	takeown.exe
Token: SeTakeOwnershipPrivilege	4480	takeown.exe
Token: SeTakeOwnershipPrivilege	8	takeown.exe
Token: SeTakeOwnershipPrivilege	3808	takeown.exe
Token: SeTakeOwnershipPrivilege	3568	takeown.exe
Token: SeTakeOwnershipPrivilege	2068	takeown.exe
Token: SeTakeOwnershipPrivilege	2400	takeown.exe
Token: SeTakeOwnershipPrivilege	3164	takeown.exe
Token: SeTakeOwnershipPrivilege	2536	takeown.exe
Token: SeTakeOwnershipPrivilege	3124	takeown.exe
Token: SeTakeOwnershipPrivilege	3836	takeown.exe
Token: SeTakeOwnershipPrivilege	2576	takeown.exe
Token: SeTakeOwnershipPrivilege	2720	takeown.exe
Token: SeTakeOwnershipPrivilege	2056	takeown.exe
Token: SeTakeOwnershipPrivilege	4880	takeown.exe
Token: SeTakeOwnershipPrivilege	3736	takeown.exe
Token: SeTakeOwnershipPrivilege	1244	takeown.exe
Token: SeTakeOwnershipPrivilege	3628	takeown.exe
Token: SeTakeOwnershipPrivilege	4024	takeown.exe
Token: SeTakeOwnershipPrivilege	216	takeown.exe
Token: SeTakeOwnershipPrivilege	1984	takeown.exe
Token: SeTakeOwnershipPrivilege	5116	takeown.exe
Token: SeTakeOwnershipPrivilege	4424	takeown.exe
Token: SeTakeOwnershipPrivilege	1140	takeown.exe
Token: SeTakeOwnershipPrivilege	4564	takeown.exe
Token: SeTakeOwnershipPrivilege	3672	takeown.exe
Token: SeTakeOwnershipPrivilege	1468	takeown.exe
Token: SeTakeOwnershipPrivilege	5088	takeown.exe
Token: SeTakeOwnershipPrivilege	1768	takeown.exe
Token: SeTakeOwnershipPrivilege	3028	takeown.exe
Token: SeTakeOwnershipPrivilege	2396	takeown.exe
Token: SeTakeOwnershipPrivilege	4784	takeown.exe
Token: SeTakeOwnershipPrivilege	4600	takeown.exe
Token: SeTakeOwnershipPrivilege	884	takeown.exe
Token: SeTakeOwnershipPrivilege	2904	takeown.exe
Token: SeTakeOwnershipPrivilege	1312	takeown.exe
Token: SeTakeOwnershipPrivilege	1380	takeown.exe
Token: SeTakeOwnershipPrivilege	3572	takeown.exe
Token: SeTakeOwnershipPrivilege	4360	takeown.exe
Token: SeTakeOwnershipPrivilege	5096	takeown.exe
Token: SeTakeOwnershipPrivilege	1208	takeown.exe
Token: SeTakeOwnershipPrivilege	4904	takeown.exe
Token: SeTakeOwnershipPrivilege	2628	takeown.exe
Token: SeTakeOwnershipPrivilege	4520	takeown.exe
Token: SeTakeOwnershipPrivilege	2976	takeown.exe
Token: SeTakeOwnershipPrivilege	3348	takeown.exe
Token: SeTakeOwnershipPrivilege	224	takeown.exe
Token: SeTakeOwnershipPrivilege	4608	takeown.exe
Token: SeTakeOwnershipPrivilege	1976	takeown.exe
Token: SeTakeOwnershipPrivilege	1324	takeown.exe
Token: SeTakeOwnershipPrivilege	1236	takeown.exe
Token: SeTakeOwnershipPrivilege	3984	takeown.exe
Token: SeTakeOwnershipPrivilege	1380	takeown.exe
Token: SeTakeOwnershipPrivilege	1536	takeown.exe
Token: SeTakeOwnershipPrivilege	2448	takeown.exe
Token: SeTakeOwnershipPrivilege	4588	takeown.exe
Token: SeTakeOwnershipPrivilege	3420	takeown.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe
1416	JKT48.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1244	1416	JKT48.exe	87
PID 1416 wrote to memory of 1244	1416	JKT48.exe	87
PID 1416 wrote to memory of 2576	1416	JKT48.exe	89
PID 1416 wrote to memory of 2576	1416	JKT48.exe	89
PID 1416 wrote to memory of 4452	1416	JKT48.exe	91
PID 1416 wrote to memory of 4452	1416	JKT48.exe	91
PID 1416 wrote to memory of 3400	1416	JKT48.exe	93
PID 1416 wrote to memory of 3400	1416	JKT48.exe	93
PID 1416 wrote to memory of 2388	1416	JKT48.exe	95
PID 1416 wrote to memory of 2388	1416	JKT48.exe	95
PID 1416 wrote to memory of 3760	1416	JKT48.exe	97
PID 1416 wrote to memory of 3760	1416	JKT48.exe	97
PID 1416 wrote to memory of 2396	1416	JKT48.exe	99
PID 1416 wrote to memory of 2396	1416	JKT48.exe	99
PID 1416 wrote to memory of 1672	1416	JKT48.exe	101
PID 1416 wrote to memory of 1672	1416	JKT48.exe	101
PID 1416 wrote to memory of 2136	1416	JKT48.exe	103
PID 1416 wrote to memory of 2136	1416	JKT48.exe	103
PID 1416 wrote to memory of 3088	1416	JKT48.exe	105
PID 1416 wrote to memory of 3088	1416	JKT48.exe	105
PID 1416 wrote to memory of 2020	1416	JKT48.exe	107
PID 1416 wrote to memory of 2020	1416	JKT48.exe	107
PID 1416 wrote to memory of 4844	1416	JKT48.exe	109
PID 1416 wrote to memory of 4844	1416	JKT48.exe	109
PID 1416 wrote to memory of 4128	1416	JKT48.exe	112
PID 1416 wrote to memory of 4128	1416	JKT48.exe	112
PID 1416 wrote to memory of 1616	1416	JKT48.exe	114
PID 1416 wrote to memory of 1616	1416	JKT48.exe	114
PID 1416 wrote to memory of 3484	1416	JKT48.exe	117
PID 1416 wrote to memory of 3484	1416	JKT48.exe	117
PID 1416 wrote to memory of 1536	1416	JKT48.exe	119
PID 1416 wrote to memory of 1536	1416	JKT48.exe	119
PID 1416 wrote to memory of 3224	1416	JKT48.exe	121
PID 1416 wrote to memory of 3224	1416	JKT48.exe	121
PID 1416 wrote to memory of 2704	1416	JKT48.exe	123
PID 1416 wrote to memory of 2704	1416	JKT48.exe	123
PID 1416 wrote to memory of 4684	1416	JKT48.exe	125
PID 1416 wrote to memory of 4684	1416	JKT48.exe	125
PID 1416 wrote to memory of 2800	1416	JKT48.exe	127
PID 1416 wrote to memory of 2800	1416	JKT48.exe	127
PID 1416 wrote to memory of 1556	1416	JKT48.exe	129
PID 1416 wrote to memory of 1556	1416	JKT48.exe	129
PID 1416 wrote to memory of 4544	1416	JKT48.exe	131
PID 1416 wrote to memory of 4544	1416	JKT48.exe	131
PID 1416 wrote to memory of 5116	1416	JKT48.exe	133
PID 1416 wrote to memory of 5116	1416	JKT48.exe	133
PID 1416 wrote to memory of 3420	1416	JKT48.exe	135
PID 1416 wrote to memory of 3420	1416	JKT48.exe	135
PID 1416 wrote to memory of 1932	1416	JKT48.exe	137
PID 1416 wrote to memory of 1932	1416	JKT48.exe	137
PID 1416 wrote to memory of 3736	1416	JKT48.exe	139
PID 1416 wrote to memory of 3736	1416	JKT48.exe	139
PID 1416 wrote to memory of 4552	1416	JKT48.exe	140
PID 1416 wrote to memory of 4552	1416	JKT48.exe	140
PID 1416 wrote to memory of 4968	1416	JKT48.exe	143
PID 1416 wrote to memory of 4968	1416	JKT48.exe	143
PID 1416 wrote to memory of 3504	1416	JKT48.exe	145
PID 1416 wrote to memory of 3504	1416	JKT48.exe	145
PID 1416 wrote to memory of 2760	1416	JKT48.exe	147
PID 1416 wrote to memory of 2760	1416	JKT48.exe	147
PID 1416 wrote to memory of 4480	1416	JKT48.exe	149
PID 1416 wrote to memory of 4480	1416	JKT48.exe	149
PID 1416 wrote to memory of 4896	1416	JKT48.exe	151
PID 1416 wrote to memory of 4896	1416	JKT48.exe	151

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JKT48.exe
"C:\Users\Admin\AppData\Local\Temp\JKT48.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1416
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin" /a
  2⤵
  PID:1244
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin" /grant Administrators:F
  2⤵
  PID:2576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin\S-1-5-21-83325578-304917428-1200496059-1000" /a
  2⤵
  PID:4452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin\S-1-5-21-83325578-304917428-1200496059-1000" /grant Administrators:F
  2⤵
  PID:3400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\9067c5701a2f6bcc5b" /a
  2⤵
  PID:2388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\9067c5701a2f6bcc5b" /grant Administrators:F
  2⤵
  PID:3760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\95a9da8d6083c53f11d88fcfaf8c" /a
  2⤵
  PID:2396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\95a9da8d6083c53f11d88fcfaf8c" /grant Administrators:F
  2⤵
  PID:1672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Documents and Settings" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\cmd.exe" /grant Administrators:F
  2⤵
  PID:2020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Documents and Settings" /grant Administrators:F
  2⤵
  PID:4844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs" /a
  2⤵
  PID:4128
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs" /grant Administrators:F
  2⤵
  PID:1616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\regedit.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\regedit.exe" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\reg.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\reg.exe" /grant Administrators:F
  2⤵
  PID:2800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskmgr.exe" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:4544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip" /a
  2⤵
  PID:5116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip" /grant Administrators:F
  2⤵
  PID:3420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\msconfig.exe" /a
  2⤵
  PID:1932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\7z.exe" /a
  2⤵
  PID:3736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\msconfig.exe" /grant Administrators:F
  2⤵
  PID:4552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\7z.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\Lang" /a
  2⤵
  PID:3504
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\Lang" /grant Administrators:F
  2⤵
  PID:2760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files" /grant Administrators:F
  2⤵
  PID:4896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\DESIGNER" /a
  2⤵
  PID:3944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\utilman.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\DESIGNER" /grant Administrators:F
  2⤵
  PID:4888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\utilman.exe" /grant Administrators:F
  2⤵
  PID:732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared" /grant Administrators:F
  2⤵
  PID:3140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ClickToRun" /a
  2⤵
  - Modifies file permissions
  PID:3084
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ClickToRun" /grant Administrators:F
  2⤵
  PID:996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe" /a
  2⤵
  PID:2904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sethc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe" /grant Administrators:F
  2⤵
  PID:5104
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sethc.exe" /grant Administrators:F
  2⤵
  PID:3348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink" /grant Administrators:F
  2⤵
  PID:2136
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe" /grant Administrators:F
  2⤵
  PID:2740
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.exe" /grant Administrators:F
  2⤵
  PID:1344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ar-SA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ar-SA" /grant Administrators:F
  2⤵
  PID:4296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\bg-BG" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\bg-BG" /grant Administrators:F
  2⤵
  PID:1020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.msc" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ" /grant Administrators:F
  2⤵
  PID:2652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.msc" /grant Administrators:F
  2⤵
  PID:2684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\da-DK" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\da-DK" /grant Administrators:F
  2⤵
  PID:920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\de-DE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\de-DE" /grant Administrators:F
  2⤵
  PID:448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\el-GR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\el-GR" /grant Administrators:F
  2⤵
  PID:2012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\resmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\en-GB" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\resmon.exe" /grant Administrators:F
  2⤵
  PID:1440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\en-GB" /grant Administrators:F
  2⤵
  PID:3380
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\en-US" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\en-US" /grant Administrators:F
  2⤵
  PID:4996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\es-ES" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\es-ES" /grant Administrators:F
  2⤵
  PID:1548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\es-MX" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\logonui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\es-MX" /grant Administrators:F
  2⤵
  PID:2508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\logonui.exe" /grant Administrators:F
  2⤵
  PID:3636
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\et-EE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\et-EE" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4588
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fi-FI" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fi-FI" /grant Administrators:F
  2⤵
  PID:2136
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fr-CA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fr-CA" /grant Administrators:F
  2⤵
  PID:4348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskkill.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fr-FR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskkill.exe" /grant Administrators:F
  2⤵
  PID:968
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fr-FR" /grant Administrators:F
  2⤵
  PID:5020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions" /grant Administrators:F
  2⤵
  PID:3836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad" /grant Administrators:F
  2⤵
  PID:4788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert" /grant Administrators:F
  2⤵
  PID:792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rundll32.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rundll32.exe" /grant Administrators:F
  2⤵
  PID:4984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad" /grant Administrators:F
  2⤵
  PID:2628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main" /grant Administrators:F
  2⤵
  PID:2020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui" /grant Administrators:F
  2⤵
  PID:4840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rstrui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rstrui.exe" /grant Administrators:F
  2⤵
  PID:1436
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu" /grant Administrators:F
  2⤵
  PID:400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav" /grant Administrators:F
  2⤵
  PID:2096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad" /grant Administrators:F
  2⤵
  PID:2136
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sfc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred" /grant Administrators:F
  2⤵
  PID:5008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sfc.exe" /grant Administrators:F
  2⤵
  PID:3808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols" /grant Administrators:F
  2⤵
  PID:4004
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\he-IL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\he-IL" /grant Administrators:F
  2⤵
  PID:1616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\hr-HR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\hr-HR" /grant Administrators:F
  2⤵
  PID:1204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\winload.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\hu-HU" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\winload.exe" /grant Administrators:F
  2⤵
  PID:3680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\hu-HU" /grant Administrators:F
  2⤵
  PID:4672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization" /grant Administrators:F
  2⤵
  PID:3484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\it-IT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\it-IT" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ja-JP" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ja-JP" /grant Administrators:F
  2⤵
  PID:2388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\ntoskrnl.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ko-KR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\ntoskrnl.exe" /grant Administrators:F
  2⤵
  PID:3276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ko-KR" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel" /grant Administrators:F
  2⤵
  PID:4860
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\lt-LT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\lt-LT" /grant Administrators:F
  2⤵
  PID:2308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\lv-LV" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\hal.dll" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\lv-LV" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\hal.dll" /grant Administrators:F
  2⤵
  PID:216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\nb-NO" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\nb-NO" /grant Administrators:F
  2⤵
  PID:3224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\nl-NL" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\nl-NL" /grant Administrators:F
  2⤵
  PID:4504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pl-PL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pl-PL" /grant Administrators:F
  2⤵
  PID:1160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\servicing\trustedinstaller.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pt-BR" /a
  2⤵
  PID:728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\servicing\trustedinstaller.exe" /grant Administrators:F
  2⤵
  PID:2052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pt-BR" /grant Administrators:F
  2⤵
  PID:1100
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pt-PT" /a
  2⤵
  PID:4448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pt-PT" /grant Administrators:F
  2⤵
  PID:3500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ro-RO" /a
  2⤵
  PID:3132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ro-RO" /grant Administrators:F
  2⤵
  PID:4480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ru-RU" /a
  2⤵
  PID:1976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ru-RU" /grant Administrators:F
  2⤵
  PID:3792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\cmd.exe" /a
  2⤵
  PID:1444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sk-SK" /a
  2⤵
  PID:548
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\cmd.exe" /grant Administrators:F
  2⤵
  PID:5012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sk-SK" /grant Administrators:F
  2⤵
  PID:1208
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sl-SI" /a
  2⤵
  PID:2376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sl-SI" /grant Administrators:F
  2⤵
  PID:2916
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS" /a
  2⤵
  PID:1996
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS" /grant Administrators:F
  2⤵
  PID:1244
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sv-SE" /a
  2⤵
  PID:1468
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\regedit.exe" /a
  2⤵
  PID:2984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sv-SE" /grant Administrators:F
  2⤵
  PID:1368
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\regedit.exe" /grant Administrators:F
  2⤵
  PID:4840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\th-TH" /a
  2⤵
  PID:3164
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\th-TH" /grant Administrators:F
  2⤵
  PID:1852
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\tr-TR" /a
  2⤵
  PID:2456
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\tr-TR" /grant Administrators:F
  2⤵
  PID:1020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\uk-UA" /a
  2⤵
  PID:3124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\uk-UA" /grant Administrators:F
  2⤵
  PID:4444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\zh-CN" /a
  2⤵
  PID:2044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\reg.exe" /a
  2⤵
  PID:2012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\zh-CN" /grant Administrators:F
  2⤵
  PID:2332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\reg.exe" /grant Administrators:F
  2⤵
  PID:3276
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\zh-TW" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\zh-TW" /grant Administrators:F
  2⤵
  PID:4372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo" /a
  2⤵
  PID:1148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo" /grant Administrators:F
  2⤵
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" /a
  2⤵
  PID:1444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" /grant Administrators:F
  2⤵
  PID:1236
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskmgr.exe" /a
  2⤵
  PID:1324
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskmgr.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE" /a
  2⤵
  PID:2700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE" /grant Administrators:F
  2⤵
  PID:4504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US" /a
  2⤵
  PID:2504
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US" /grant Administrators:F
  2⤵
  PID:2824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES" /a
  2⤵
  PID:4592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES" /grant Administrators:F
  2⤵
  PID:3760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\utilman.exe" /a
  2⤵
  PID:3184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR" /a
  2⤵
  PID:1168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\utilman.exe" /grant Administrators:F
  2⤵
  PID:3480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR" /grant Administrators:F
  2⤵
  PID:1672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT" /a
  2⤵
  PID:4608
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP" /a
  2⤵
  PID:4900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP" /grant Administrators:F
  2⤵
  PID:3524
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA" /a
  2⤵
  PID:2044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA" /grant Administrators:F
  2⤵
  PID:1892
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.exe" /a
  2⤵
  PID:4996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16" /a
  2⤵
  PID:3176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.exe" /grant Administrators:F
  2⤵
  PID:5088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16" /grant Administrators:F
  2⤵
  PID:4992
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE" /a
  2⤵
  PID:1812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE" /grant Administrators:F
  2⤵
  PID:4576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller" /a
  2⤵
  - Modifies file permissions
  PID:4452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller" /grant Administrators:F
  2⤵
  PID:1140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.msc" /a
  2⤵
  PID:4204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform" /a
  2⤵
  PID:2824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.msc" /grant Administrators:F
  2⤵
  PID:2584
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform" /grant Administrators:F
  2⤵
  PID:2540
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Source Engine" /a
  2⤵
  PID:1440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Source Engine" /grant Administrators:F
  2⤵
  PID:1176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE" /a
  2⤵
  PID:1664
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE" /grant Administrators:F
  2⤵
  PID:64
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Stationery" /a
  2⤵
  PID:2456
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\resmon.exe" /a
  2⤵
  PID:3516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Stationery" /grant Administrators:F
  2⤵
  PID:1204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\resmon.exe" /grant Administrators:F
  2⤵
  PID:220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\TextConv" /a
  2⤵
  PID:2916
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\TextConv" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\TextConv\en-US" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\TextConv\en-US" /grant Administrators:F
  2⤵
  PID:224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Triedit" /a
  2⤵
  - Modifies file permissions
  PID:2628
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Triedit" /grant Administrators:F
  2⤵
  PID:1480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Triedit\en-US" /a
  2⤵
  PID:1700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sethc.exe" /a
  2⤵
  PID:3264
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Triedit\en-US" /grant Administrators:F
  2⤵
  PID:2960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sethc.exe" /grant Administrators:F
  2⤵
  PID:4488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VC" /a
  2⤵
  PID:2888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VC" /grant Administrators:F
  2⤵
  PID:4128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VGX" /a
  2⤵
  PID:228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VGX" /grant Administrators:F
  2⤵
  PID:4152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO" /a
  2⤵
  PID:4024
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO" /grant Administrators:F
  2⤵
  PID:3084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskkill.exe" /a
  2⤵
  PID:2096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0" /a
  2⤵
  PID:5096
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0" /grant Administrators:F
  2⤵
  PID:2012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskkill.exe" /grant Administrators:F
  2⤵
  PID:1244
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /a
  2⤵
  PID:3028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /grant Administrators:F
  2⤵
  PID:1856
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033" /a
  2⤵
  PID:1324
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033" /grant Administrators:F
  2⤵
  PID:3108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Services" /a
  2⤵
  PID:4600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Services" /grant Administrators:F
  2⤵
  PID:1092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sfc.exe" /a
  2⤵
  - Modifies file permissions
  PID:5020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System" /a
  2⤵
  PID:2904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sfc.exe" /grant Administrators:F
  2⤵
  PID:4532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System" /grant Administrators:F
  2⤵
  PID:4424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado" /a
  2⤵
  PID:64
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado" /grant Administrators:F
  2⤵
  PID:2976
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\de-DE" /a
  2⤵
  PID:3728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\de-DE" /grant Administrators:F
  2⤵
  PID:3492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\en-US" /a
  2⤵
  PID:4548
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\en-US" /grant Administrators:F
  2⤵
  PID:932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\rundll32.exe" /a
  2⤵
  PID:4056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\rundll32.exe" /grant Administrators:F
  2⤵
  PID:1268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\es-ES" /a
  2⤵
  PID:3836
- C:\windows\system32\vssadmin.exe
  "C:\windows\system32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\es-ES" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4004
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\fr-FR" /a
  2⤵
  PID:2724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\fr-FR" /grant Administrators:F
  2⤵
  PID:1452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\it-IT" /a
  2⤵
  PID:1344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\it-IT" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\ja-JP" /a
  2⤵
  PID:3672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\ja-JP" /grant Administrators:F
  2⤵
  PID:1480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\de-DE" /a
  2⤵
  PID:716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\de-DE" /grant Administrators:F
  2⤵
  PID:4364
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\en-US" /a
  2⤵
  PID:2680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\en-US" /grant Administrators:F
  2⤵
  PID:2888
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\es-ES" /a
  2⤵
  - Modifies file permissions
  PID:4424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\es-ES" /grant Administrators:F
  2⤵
  PID:2904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\fr-FR" /a
  2⤵
  PID:996
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\fr-FR" /grant Administrators:F
  2⤵
  PID:1672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\it-IT" /a
  2⤵
  PID:2976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\it-IT" /grant Administrators:F
  2⤵
  PID:1380
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ja-JP" /a
  2⤵
  PID:4296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ja-JP" /grant Administrators:F
  2⤵
  PID:1088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc" /a
  2⤵
  PID:288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\de-DE" /a
  2⤵
  PID:3484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\de-DE" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\en-US" /a
  2⤵
  PID:1228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\en-US" /grant Administrators:F
  2⤵
  PID:4488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\es-ES" /a
  2⤵
  - Modifies file permissions
  PID:872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\es-ES" /grant Administrators:F
  2⤵
  PID:1780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\fr-FR" /a
  2⤵
  PID:804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\fr-FR" /grant Administrators:F
  2⤵
  PID:1696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\it-IT" /a
  2⤵
  PID:932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\it-IT" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2820
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\ja-JP" /a
  2⤵
  PID:4012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\ja-JP" /grant Administrators:F
  2⤵
  PID:4496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB" /a
  2⤵
  PID:540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB" /grant Administrators:F
  2⤵
  PID:1784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\de-DE" /a
  2⤵
  PID:2936
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\de-DE" /grant Administrators:F
  2⤵
  PID:1536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\en-US" /a
  2⤵
  PID:2308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\en-US" /grant Administrators:F
  2⤵
  PID:1380
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\es-ES" /a
  2⤵
  PID:2396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\es-ES" /grant Administrators:F
  2⤵
  PID:2852
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\fr-FR" /a
  2⤵
  PID:1812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\fr-FR" /grant Administrators:F
  2⤵
  PID:2944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\it-IT" /a
  2⤵
  PID:1072
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\it-IT" /grant Administrators:F
  2⤵
  PID:2004
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\ja-JP" /a
  2⤵
  PID:2020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\ja-JP" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1436
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\uk-UA" /a
  2⤵
  PID:3028
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\uk-UA" /grant Administrators:F
  2⤵
  PID:4548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad" /a
  2⤵
  PID:2440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad" /grant Administrators:F
  2⤵
  PID:2336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad\attachments" /a
  2⤵
  PID:1896
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad\attachments" /grant Administrators:F
  2⤵
  PID:3500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad\reports" /a
  2⤵
  PID:4360
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad\reports" /grant Administrators:F
  2⤵
  PID:5088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet" /a
  2⤵
  PID:2780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet" /grant Administrators:F
  2⤵
  PID:2936
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:540
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\dotnet.exe" /a
  2⤵
  PID:1392
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\dotnet.exe" /grant Administrators:F
  2⤵
  PID:4892
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host" /a
  2⤵
  PID:3920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host" /grant Administrators:F
  2⤵
  PID:1608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr" /a
  2⤵
  PID:1636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr" /grant Administrators:F
  2⤵
  PID:3084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\6.0.27" /a
  2⤵
  PID:4000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\6.0.27" /grant Administrators:F
  2⤵
  PID:2820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\7.0.16" /a
  2⤵
  PID:4444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\7.0.16" /grant Administrators:F
  2⤵
  PID:2632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\8.0.2" /a
  2⤵
  PID:1436
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\8.0.2" /grant Administrators:F
  2⤵
  PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared" /a
  2⤵
  PID:2236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared" /grant Administrators:F
  2⤵
  PID:880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App" /a
  2⤵
  - Possible privilege escalation attempt
  PID:996
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App" /grant Administrators:F
  2⤵
  PID:1536
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27" /a
  2⤵
  - Possible privilege escalation attempt
  PID:968
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27" /grant Administrators:F
  2⤵
  PID:2860
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe" /a
  2⤵
  PID:4136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16" /a
  2⤵
  PID:2304
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16" /grant Administrators:F
  2⤵
  PID:2096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe" /a
  2⤵
  PID:1504
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe" /grant Administrators:F
  2⤵
  PID:408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2020
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2" /grant Administrators:F
  2⤵
  PID:3788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe" /a
  2⤵
  PID:268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe" /grant Administrators:F
  2⤵
  PID:1436
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2236
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App" /a
  2⤵
  PID:3520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App" /grant Administrators:F
  2⤵
  PID:3224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27" /a
  2⤵
  PID:4912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27" /grant Administrators:F
  2⤵
  PID:2860
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs" /a
  2⤵
  PID:4020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs" /grant Administrators:F
  2⤵
  PID:3432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de" /a
  2⤵
  PID:4636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4612
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es" /a
  2⤵
  PID:4128
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es" /grant Administrators:F
  2⤵
  PID:548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr" /a
  2⤵
  PID:4000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr" /grant Administrators:F
  2⤵
  PID:1896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2976
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja" /a
  2⤵
  PID:4012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja" /grant Administrators:F
  2⤵
  PID:3264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko" /a
  2⤵
  PID:1148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko" /grant Administrators:F
  2⤵
  PID:1392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl" /a
  2⤵
  PID:968
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3656
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR" /a
  2⤵
  PID:3288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR" /grant Administrators:F
  2⤵
  PID:2204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru" /a
  2⤵
  PID:932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru" /grant Administrators:F
  2⤵
  PID:1648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr" /a
  2⤵
  PID:4708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr" /grant Administrators:F
  2⤵
  PID:4392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans" /a
  2⤵
  PID:5008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans" /grant Administrators:F
  2⤵
  PID:2440
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant" /a
  2⤵
  PID:4004
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant" /grant Administrators:F
  2⤵
  PID:1436
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16" /a
  2⤵
  PID:1308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16" /grant Administrators:F
  2⤵
  PID:4848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs" /a
  2⤵
  PID:2824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs" /grant Administrators:F
  2⤵
  PID:968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de" /a
  2⤵
  PID:1168
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de" /grant Administrators:F
  2⤵
  PID:3432
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es" /a
  2⤵
  PID:2332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es" /grant Administrators:F
  2⤵
  PID:1648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr" /a
  2⤵
  - Modifies file permissions
  PID:304
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr" /grant Administrators:F
  2⤵
  PID:5104
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it" /a
  2⤵
  PID:5068
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it" /grant Administrators:F
  2⤵
  PID:3164
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja" /a
  2⤵
  PID:2868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja" /grant Administrators:F
  2⤵
  PID:296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko" /a
  2⤵
  PID:280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko" /grant Administrators:F
  2⤵
  PID:3656
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl" /a
  2⤵
  PID:1636
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1608
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl" /grant Administrators:F
  2⤵
  PID:4592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR" /a
  2⤵
  PID:2824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR" /grant Administrators:F
  2⤵
  PID:2680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru" /a
  2⤵
  PID:1856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru" /grant Administrators:F
  2⤵
  PID:3260
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr" /a
  2⤵
  PID:304
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1648
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr" /grant Administrators:F
  2⤵
  PID:4444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans" /a
  2⤵
  PID:2780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans" /grant Administrators:F
  2⤵
  PID:2020
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant" /a
  2⤵
  PID:832
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant" /grant Administrators:F
  2⤵
  PID:1696
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4636
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2" /a
  2⤵
  PID:3380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs" /a
  2⤵
  PID:2484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs" /grant Administrators:F
  2⤵
  PID:4524
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de" /a
  2⤵
  PID:1852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de" /grant Administrators:F
  2⤵
  PID:4420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es" /a
  2⤵
  PID:3500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5060
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2860
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr" /grant Administrators:F
  2⤵
  PID:2700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it" /a
  2⤵
  - Modifies file permissions
  PID:3492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it" /grant Administrators:F
  2⤵
  PID:1312
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja" /a
  2⤵
  PID:4024
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja" /grant Administrators:F
  2⤵
  PID:2824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko" /a
  2⤵
  PID:2400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko" /grant Administrators:F
  2⤵
  PID:3088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl" /a
  2⤵
  PID:1776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl" /grant Administrators:F
  2⤵
  PID:4980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR" /a
  2⤵
  - Modifies file permissions
  PID:2148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR" /grant Administrators:F
  2⤵
  PID:4608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru" /a
  2⤵
  PID:5096
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru" /grant Administrators:F
  2⤵
  PID:2204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr" /a
  2⤵
  PID:3636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr" /grant Administrators:F
  2⤵
  PID:2540
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans" /a
  2⤵
  PID:4004
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans" /grant Administrators:F
  2⤵
  PID:3128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant" /a
  2⤵
  PID:2484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant" /grant Administrators:F
  2⤵
  PID:1852
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\swidtag" /a
  2⤵
  PID:4444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\swidtag" /grant Administrators:F
  2⤵
  PID:2020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google" /a
  2⤵
  PID:1892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google" /grant Administrators:F
  2⤵
  PID:4204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome" /a
  2⤵
  PID:3480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome" /grant Administrators:F
  2⤵
  PID:4056
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4708
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\chrome.exe" /a
  2⤵
  PID:2556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1312
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60" /a
  2⤵
  PID:3108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60" /grant Administrators:F
  2⤵
  PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe" /a
  2⤵
  PID:4848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe" /grant Administrators:F
  2⤵
  PID:2204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps" /a
  2⤵
  PID:4056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps" /grant Administrators:F
  2⤵
  PID:3696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Extensions" /a
  2⤵
  PID:512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Extensions" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer" /a
  2⤵
  PID:3108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer" /grant Administrators:F
  2⤵
  PID:2904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" /a
  2⤵
  PID:540
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" /grant Administrators:F
  2⤵
  PID:272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales" /grant Administrators:F
  2⤵
  PID:1840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\MEIPreload" /a
  2⤵
  PID:3404
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\MEIPreload" /grant Administrators:F
  2⤵
  PID:3788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded" /a
  2⤵
  PID:3636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded" /grant Administrators:F
  2⤵
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements" /a
  2⤵
  PID:3480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements" /grant Administrators:F
  2⤵
  PID:712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm" /a
  2⤵
  - Modifies file permissions
  PID:3176
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm" /grant Administrators:F
  2⤵
  PID:4984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific" /a
  2⤵
  PID:4548
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific" /grant Administrators:F
  2⤵
  PID:2020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64" /a
  2⤵
  PID:3224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64" /grant Administrators:F
  2⤵
  PID:3500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\SetupMetrics" /a
  2⤵
  PID:3996
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\SetupMetrics" /grant Administrators:F
  2⤵
  PID:4784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer" /a
  2⤵
  PID:3636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer" /grant Administrators:F
  2⤵
  PID:1536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ExtExport.exe" /a
  2⤵
  PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ExtExport.exe" /grant Administrators:F
  2⤵
  PID:2508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\de-DE" /a
  2⤵
  PID:2484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\de-DE" /grant Administrators:F
  2⤵
  PID:280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\en-US" /a
  2⤵
  PID:4524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\en-US" /grant Administrators:F
  2⤵
  PID:4548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\es-ES" /a
  2⤵
  - Possible privilege escalation attempt
  PID:64
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\es-ES" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\fr-FR" /a
  2⤵
  PID:116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\fr-FR" /grant Administrators:F
  2⤵
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\images" /a
  2⤵
  - Modifies file permissions
  PID:3480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\images" /grant Administrators:F
  2⤵
  PID:2540
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\it-IT" /a
  2⤵
  PID:512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\it-IT" /grant Administrators:F
  2⤵
  PID:4024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ja-JP" /a
  2⤵
  PID:712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ja-JP" /grant Administrators:F
  2⤵
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\SIGNUP" /a
  2⤵
  PID:4660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\SIGNUP" /grant Administrators:F
  2⤵
  PID:2108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\uk-UA" /a
  2⤵
  PID:1368
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\uk-UA" /grant Administrators:F
  2⤵
  PID:4364
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java" /a
  2⤵
  - Modifies file permissions
  PID:1696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java" /grant Administrators:F
  2⤵
  PID:116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8" /a
  2⤵
  - Modifies file permissions
  PID:3500
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8" /grant Administrators:F
  2⤵
  PID:3404
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\bin" /a
  2⤵
  PID:3432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\bin" /grant Administrators:F
  2⤵
  PID:3320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe" /a
  2⤵
  PID:280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include" /a
  2⤵
  - Modifies file permissions
  PID:3520
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include" /grant Administrators:F
  2⤵
  PID:4420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include\win32" /a
  2⤵
  PID:4364
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include\win32" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include\win32\bridge" /a
  2⤵
  PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include\win32\bridge" /grant Administrators:F
  2⤵
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre" /a
  2⤵
  PID:1100
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin" /a
  2⤵
  PID:1856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin" /grant Administrators:F
  2⤵
  PID:4660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe" /a
  2⤵
  PID:1536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:2044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin" /a
  2⤵
  PID:3696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2" /a
  2⤵
  PID:3520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\server" /a
  2⤵
  PID:1176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\server" /grant Administrators:F
  2⤵
  PID:3728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal" /a
  2⤵
  PID:3668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal" /grant Administrators:F
  2⤵
  PID:3028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal\javafx" /a
  2⤵
  PID:3176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal\javafx" /grant Administrators:F
  2⤵
  PID:2700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal\jdk" /a
  2⤵
  PID:64
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal\jdk" /grant Administrators:F
  2⤵
  PID:4424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib" /a
  2⤵
  PID:2160
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib" /grant Administrators:F
  2⤵
  PID:4980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\amd64" /a
  2⤵
  PID:4732
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\amd64" /grant Administrators:F
  2⤵
  PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\applet" /a
  2⤵
  PID:5088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\applet" /grant Administrators:F
  2⤵
  PID:4024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\cmm" /a
  2⤵
  PID:1536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\cmm" /grant Administrators:F
  2⤵
  PID:3176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\deploy" /a
  2⤵
  PID:4364
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\deploy" /grant Administrators:F
  2⤵
  PID:1092
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\ext" /a
  2⤵
  PID:4524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\ext" /grant Administrators:F
  2⤵
  PID:760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\fonts" /a
  2⤵
  PID:280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\fonts" /grant Administrators:F
  2⤵
  PID:2432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\images" /a
  2⤵
  PID:1176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\images" /grant Administrators:F
  2⤵
  PID:4268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors" /a
  2⤵
  PID:2148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\jfr" /a
  2⤵
  PID:2700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\jfr" /grant Administrators:F
  2⤵
  PID:4984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\management" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\management" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security" /a
  2⤵
  PID:4268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security" /grant Administrators:F
  2⤵
  PID:3320
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy" /a
  2⤵
  PID:4660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy" /grant Administrators:F
  2⤵
  PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited" /a
  2⤵
  PID:280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited" /grant Administrators:F
  2⤵
  PID:3404
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited" /a
  2⤵
  PID:1976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited" /grant Administrators:F
  2⤵
  PID:2508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal" /a
  2⤵
  PID:1900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal" /grant Administrators:F
  2⤵
  PID:3320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal\javafx" /a
  2⤵
  PID:2068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal\javafx" /grant Administrators:F
  2⤵
  PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal\jdk" /a
  2⤵
  PID:4444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal\jdk" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\lib" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\lib" /grant Administrators:F
  2⤵
  PID:2020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8" /a
  2⤵
  PID:3696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8" /grant Administrators:F
  2⤵
  PID:3288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin" /a
  2⤵
  - Modifies file permissions
  PID:1900
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin" /grant Administrators:F
  2⤵
  PID:1168
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\jabswitch.exe" /a
  2⤵
  PID:116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\dtplugin" /a
  2⤵
  PID:4660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\dtplugin" /grant Administrators:F
  2⤵
  PID:1140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\plugin2" /a
  2⤵
  PID:1696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\plugin2" /grant Administrators:F
  2⤵
  PID:4216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\server" /a
  2⤵
  PID:5016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\server" /grant Administrators:F
  2⤵
  PID:3996
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal" /a
  2⤵
  PID:3668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal" /grant Administrators:F
  2⤵
  PID:992
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal\javafx" /a
  2⤵
  PID:280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal\javafx" /grant Administrators:F
  2⤵
  PID:3108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal\jdk" /a
  2⤵
  PID:4268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal\jdk" /grant Administrators:F
  2⤵
  PID:4660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib" /a
  2⤵
  PID:3996
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib" /grant Administrators:F
  2⤵
  PID:1788
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\amd64" /a
  2⤵
  PID:2044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\amd64" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\applet" /a
  2⤵
  PID:1140
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\applet" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\cmm" /a
  2⤵
  PID:2136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\cmm" /grant Administrators:F
  2⤵
  PID:4024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\deploy" /a
  2⤵
  PID:4420
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\deploy" /grant Administrators:F
  2⤵
  PID:3500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\ext" /a
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\ext" /grant Administrators:F
  2⤵
  PID:2700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\fonts" /a
  2⤵
  PID:760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\fonts" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\images" /a
  2⤵
  PID:4984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\images" /grant Administrators:F
  2⤵
  PID:3108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\images\cursors" /a
  2⤵
  PID:2432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:3500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\jfr" /a
  2⤵
  PID:992
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\jfr" /grant Administrators:F
  2⤵
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\management" /a
  2⤵
  PID:4980
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\management" /grant Administrators:F
  2⤵
  PID:1392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security" /a
  2⤵
  PID:272
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security" /grant Administrators:F
  2⤵
  PID:4444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy" /a
  2⤵
  PID:2204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy\limited" /a
  2⤵
  PID:64
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy\limited" /grant Administrators:F
  2⤵
  PID:836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited" /a
  2⤵
  PID:1900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited" /grant Administrators:F
  2⤵
  PID:272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office" /a
  2⤵
  PID:4928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office" /grant Administrators:F
  2⤵
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\Office16" /a
  2⤵
  PID:4296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\Office16" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1100
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE" /a
  2⤵
  PID:1308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE" /grant Administrators:F
  2⤵
  PID:3668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\PackageManifests" /a
  2⤵
  PID:1704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\PackageManifests" /grant Administrators:F
  2⤵
  PID:1900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root" /a
  2⤵
  PID:4588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root" /grant Administrators:F
  2⤵
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Client" /a
  2⤵
  PID:760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Client" /grant Administrators:F
  2⤵
  PID:3680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe" /a
  2⤵
  PID:1424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe" /grant Administrators:F
  2⤵
  PID:1688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16" /a
  2⤵
  PID:1856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3320
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16" /grant Administrators:F
  2⤵
  PID:1140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors" /a
  2⤵
  PID:1368
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors" /grant Administrators:F
  2⤵
  PID:3288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects" /a
  2⤵
  - Modifies file permissions
  PID:1840
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1100
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects" /grant Administrators:F
  2⤵
  PID:1900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts" /a
  2⤵
  - Modifies file permissions
  PID:4364
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts" /grant Administrators:F
  2⤵
  PID:2432
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\fre" /a
  2⤵
  PID:2700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\fre" /grant Administrators:F
  2⤵
  PID:992
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration" /a
  2⤵
  PID:4660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration" /grant Administrators:F
  2⤵
  PID:836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Integrator.exe" /a
  2⤵
  PID:3224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Integrator.exe" /grant Administrators:F
  2⤵
  PID:3500
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Addons" /a
  2⤵
  PID:4424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Addons" /grant Administrators:F
  2⤵
  PID:4000
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe" /a
  2⤵
  - Modifies file permissions
  PID:2136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe" /grant Administrators:F
  2⤵
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Licenses" /a
  2⤵
  PID:4420
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Licenses" /grant Administrators:F
  2⤵
  PID:4024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Licenses16" /a
  2⤵
  PID:4268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Licenses16" /grant Administrators:F
  2⤵
  PID:3668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\loc" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\loc" /grant Administrators:F
  2⤵
  PID:3288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office15" /a
  2⤵
  PID:1776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office15" /grant Administrators:F
  2⤵
  PID:4984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16" /a
  2⤵
  PID:2136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16" /grant Administrators:F
  2⤵
  PID:3932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE" /a
  2⤵
  PID:2236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE" /grant Administrators:F
  2⤵
  PID:4000
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033" /a
  2⤵
  PID:4216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033" /grant Administrators:F
  2⤵
  PID:3404
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography" /a
  2⤵
  PID:4928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:64
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography" /grant Administrators:F
  2⤵
  PID:4000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices" /a
  2⤵
  PID:3668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices" /grant Administrators:F
  2⤵
  PID:4420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles" /a
  2⤵
  PID:1092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles" /grant Administrators:F
  2⤵
  PID:1492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1036" /a
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3500
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2160
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1036" /grant Administrators:F
  2⤵
  PID:3932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\3082" /a
  2⤵
  PID:280
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\3082" /grant Administrators:F
  2⤵
  PID:3696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS" /a
  2⤵
  PID:2136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS" /grant Administrators:F
  2⤵
  PID:712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In" /a
  2⤵
  PID:2440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In" /grant Administrators:F
  2⤵
  PID:3932
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated" /a
  2⤵
  PID:3432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated" /grant Administrators:F
  2⤵
  PID:3176
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin" /a
  2⤵
  PID:5016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin" /grant Administrators:F
  2⤵
  PID:1632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe" /a
  2⤵
  PID:3176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in" /a
  2⤵
  PID:2772
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in" /grant Administrators:F
  2⤵
  PID:712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in" /a
  2⤵
  PID:4980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in" /a
  2⤵
  PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in" /grant Administrators:F
  2⤵
  PID:1776
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges" /a
  2⤵
  PID:4000
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges" /grant Administrators:F
  2⤵
  PID:4984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en" /a
  2⤵
  PID:3828
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en" /grant Administrators:F
  2⤵
  PID:3176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources" /a
  2⤵
  PID:5140
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources" /grant Administrators:F
  2⤵
  PID:5188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033" /a
  2⤵
  PID:5240
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033" /grant Administrators:F
  2⤵
  PID:5292
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\AugLoop" /a
  2⤵
  PID:5344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\AugLoop" /grant Administrators:F
  2⤵
  PID:5404
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Bibliography" /a
  2⤵
  PID:5464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Bibliography" /grant Administrators:F
  2⤵
  PID:5520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort" /a
  2⤵
  PID:5576
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort" /grant Administrators:F
  2⤵
  PID:5640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style" /a
  2⤵
  PID:5696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style" /grant Administrators:F
  2⤵
  PID:5752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\BORDERS" /a
  2⤵
  PID:5808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\BORDERS" /grant Administrators:F
  2⤵
  PID:5864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Configuration" /a
  2⤵
  PID:5920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Configuration" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Document Parts" /a
  2⤵
  PID:6040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Document Parts" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:6084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033" /a
  2⤵
  PID:5124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033" /grant Administrators:F
  2⤵
  PID:5172
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16" /a
  2⤵
  PID:5228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16" /grant Administrators:F
  2⤵
  PID:996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f14" /a
  2⤵
  PID:5372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f14" /grant Administrators:F
  2⤵
  PID:5452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f2" /a
  2⤵
  PID:5500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f2" /grant Administrators:F
  2⤵
  PID:4000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f3" /a
  2⤵
  PID:3432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f3" /grant Administrators:F
  2⤵
  PID:5520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f33" /a
  2⤵
  PID:5612
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f33" /grant Administrators:F
  2⤵
  PID:5648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f4" /a
  2⤵
  PID:5704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f4" /grant Administrators:F
  2⤵
  PID:5576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f7" /a
  2⤵
  PID:5816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f7" /grant Administrators:F
  2⤵
  PID:5808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006" /a
  2⤵
  PID:5928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5992
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008" /a
  2⤵
  - Modifies file permissions
  PID:6124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009" /a
  2⤵
  PID:5200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009" /grant Administrators:F
  2⤵
  PID:5284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011" /a
  2⤵
  PID:5172
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011" /grant Administrators:F
  2⤵
  PID:5224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050" /a
  2⤵
  PID:5376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050" /grant Administrators:F
  2⤵
  PID:5440
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_w1" /a
  2⤵
  PID:5544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_w1" /grant Administrators:F
  2⤵
  PID:3828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Library" /a
  2⤵
  PID:5136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Library" /grant Administrators:F
  2⤵
  PID:5596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis" /a
  2⤵
  PID:5644
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis" /grant Administrators:F
  2⤵
  PID:5764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER" /a
  2⤵
  PID:5692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER" /grant Administrators:F
  2⤵
  PID:5908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard" /a
  2⤵
  PID:5804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images" /a
  2⤵
  PID:6008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images" /grant Administrators:F
  2⤵
  PID:6108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default" /a
  2⤵
  PID:4268
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default" /grant Administrators:F
  2⤵
  PID:3480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LogoImages" /a
  2⤵
  - Modifies file permissions
  PID:5148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LogoImages" /grant Administrators:F
  2⤵
  PID:5152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MEDIA" /a
  2⤵
  PID:5312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MEDIA" /grant Administrators:F
  2⤵
  PID:5364
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC" /a
  2⤵
  PID:5380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC" /grant Administrators:F
  2⤵
  PID:5512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar" /a
  2⤵
  PID:5532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar" /grant Administrators:F
  2⤵
  PID:5564
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg" /a
  2⤵
  PID:4000
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg" /grant Administrators:F
  2⤵
  PID:5372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca" /a
  2⤵
  PID:5588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca" /grant Administrators:F
  2⤵
  PID:5788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs" /a
  2⤵
  PID:5784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs" /grant Administrators:F
  2⤵
  PID:5820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\da" /a
  2⤵
  PID:5884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\da" /grant Administrators:F
  2⤵
  PID:992
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\de" /a
  2⤵
  PID:5648
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\de" /grant Administrators:F
  2⤵
  PID:6076
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\el" /a
  2⤵
  PID:6064
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\el" /grant Administrators:F
  2⤵
  PID:3404
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us" /a
  2⤵
  PID:6008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us" /grant Administrators:F
  2⤵
  PID:5168
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\es" /a
  2⤵
  PID:5156
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\es" /grant Administrators:F
  2⤵
  PID:5284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\et" /a
  2⤵
  PID:6132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\et" /grant Administrators:F
  2⤵
  PID:5316
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu" /a
  2⤵
  PID:5412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu" /grant Administrators:F
  2⤵
  PID:2700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi" /a
  2⤵
  PID:5524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi" /grant Administrators:F
  2⤵
  PID:4984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr" /a
  2⤵
  PID:3932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr" /grant Administrators:F
  2⤵
  PID:5712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl" /a
  2⤵
  PID:4980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl" /grant Administrators:F
  2⤵
  PID:5604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\he" /a
  2⤵
  PID:5840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\he" /grant Administrators:F
  2⤵
  PID:5944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi" /a
  2⤵
  PID:5692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi" /grant Administrators:F
  2⤵
  PID:5804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr" /grant Administrators:F
  2⤵
  PID:6104
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu" /a
  2⤵
  PID:5640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu" /grant Administrators:F
  2⤵
  PID:6124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\id" /a
  2⤵
  PID:5132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\id" /grant Administrators:F
  2⤵
  PID:2432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\it" /a
  2⤵
  PID:5228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\it" /grant Administrators:F
  2⤵
  PID:5232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja" /a
  2⤵
  PID:2236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja" /grant Administrators:F
  2⤵
  PID:5488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk" /a
  2⤵
  PID:5476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk" /grant Administrators:F
  2⤵
  PID:5536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko" /a
  2⤵
  PID:2068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko" /grant Administrators:F
  2⤵
  PID:5552
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt" /a
  2⤵
  PID:5400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt" /grant Administrators:F
  2⤵
  PID:5644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv" /a
  2⤵
  PID:5776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv" /grant Administrators:F
  2⤵
  PID:5936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms" /a
  2⤵
  PID:5620
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms" /grant Administrators:F
  2⤵
  PID:5968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl" /a
  2⤵
  PID:6028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:6096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\no" /a
  2⤵
  - Possible privilege escalation attempt
  PID:6076
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\no" /grant Administrators:F
  2⤵
  PID:1168
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl" /a
  2⤵
  PID:4024
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl" /grant Administrators:F
  2⤵
  PID:5948
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt" /a
  2⤵
  PID:5280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt" /grant Administrators:F
  2⤵
  PID:5156
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR" /a
  2⤵
  PID:5304
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR" /grant Administrators:F
  2⤵
  PID:5296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro" /a
  2⤵
  PID:5376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro" /grant Administrators:F
  2⤵
  PID:5388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru" /a
  2⤵
  PID:5160
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru" /grant Administrators:F
  2⤵
  PID:5564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk" /a
  2⤵
  PID:3932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk" /grant Administrators:F
  2⤵
  PID:5136
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl" /a
  2⤵
  PID:5748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl" /grant Administrators:F
  2⤵
  PID:5644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA" /a
  2⤵
  PID:5520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA" /grant Administrators:F
  2⤵
  PID:5944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS" /a
  2⤵
  PID:5884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS" /grant Administrators:F
  2⤵
  PID:6128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS" /a
  2⤵
  PID:6052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS" /grant Administrators:F
  2⤵
  PID:5216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv" /a
  2⤵
  PID:6004
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv" /grant Administrators:F
  2⤵
  PID:5204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\th" /a
  2⤵
  PID:5200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\th" /grant Administrators:F
  2⤵
  PID:4024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr" /a
  2⤵
  PID:5312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr" /grant Administrators:F
  2⤵
  PID:4160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk" /a
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk" /grant Administrators:F
  2⤵
  PID:5316
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi" /a
  2⤵
  PID:1424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi" /grant Administrators:F
  2⤵
  PID:5224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN" /a
  2⤵
  PID:5516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5764
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5740
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers" /a
  2⤵
  PID:5600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers" /grant Administrators:F
  2⤵
  PID:5340
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift" /grant Administrators:F
  2⤵
  PID:5616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib" /a
  2⤵
  PID:5804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:6000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA" /a
  2⤵
  PID:6108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA" /grant Administrators:F
  2⤵
  PID:1140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce" /a
  2⤵
  PID:5152
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce" /grant Administrators:F
  2⤵
  PID:6084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib" /a
  2⤵
  PID:6112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib" /grant Administrators:F
  2⤵
  PID:6072
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033" /a
  2⤵
  PID:5916
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033" /grant Administrators:F
  2⤵
  PID:5388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA" /a
  2⤵
  PID:5532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA" /grant Administrators:F
  2⤵
  PID:5564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA" /a
  2⤵
  PID:5524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA" /grant Administrators:F
  2⤵
  PID:5792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA" /a
  2⤵
  - Modifies file permissions
  PID:5684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA" /grant Administrators:F
  2⤵
  PID:5752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\OneNote" /a
  2⤵
  PID:4908
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\OneNote" /grant Administrators:F
  2⤵
  PID:5972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\osfFPA" /a
  2⤵
  PID:4600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\osfFPA" /grant Administrators:F
  2⤵
  PID:5656
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE" /a
  2⤵
  PID:5128
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE" /grant Administrators:F
  2⤵
  PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\PersonaSpy" /a
  2⤵
  PID:5976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\PersonaSpy" /grant Administrators:F
  2⤵
  PID:5192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\PROOF" /a
  2⤵
  PID:712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\PROOF" /grant Administrators:F
  2⤵
  PID:6104
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\QUERIES" /a
  2⤵
  PID:996
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\QUERIES" /grant Administrators:F
  2⤵
  PID:1516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\SAMPLES" /a
  2⤵
  PID:5916
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\SAMPLES" /grant Administrators:F
  2⤵
  PID:5160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs" /a
  2⤵
  PID:5716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs" /grant Administrators:F
  2⤵
  PID:5548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018" /a
  2⤵
  PID:5556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018" /grant Administrators:F
  2⤵
  PID:3932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview" /a
  2⤵
  PID:5848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview" /grant Administrators:F
  2⤵
  PID:5944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib" /a
  2⤵
  PID:5996
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib" /grant Administrators:F
  2⤵
  PID:5912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common" /a
  2⤵
  PID:5676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common" /grant Administrators:F
  2⤵
  PID:6028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets" /a
  2⤵
  PID:5216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets" /grant Administrators:F
  2⤵
  PID:3028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027" /a
  2⤵
  PID:5204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027" /grant Administrators:F
  2⤵
  PID:5248
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets" /a
  2⤵
  PID:5424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1776
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons" /a
  2⤵
  PID:5376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons" /grant Administrators:F
  2⤵
  PID:6104
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042" /a
  2⤵
  PID:5540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets" /a
  2⤵
  PID:5344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets" /grant Administrators:F
  2⤵
  PID:4000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets" /a
  2⤵
  PID:3840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets" /grant Administrators:F
  2⤵
  PID:5712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images" /a
  2⤵
  PID:5236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images" /grant Administrators:F
  2⤵
  PID:4908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049" /a
  2⤵
  PID:5900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049" /grant Administrators:F
  2⤵
  PID:1628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv" /a
  2⤵
  - Modifies file permissions
  PID:5244
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv" /grant Administrators:F
  2⤵
  PID:5944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE" /a
  2⤵
  PID:4024
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE" /grant Administrators:F
  2⤵
  PID:6116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\STARTUP" /a
  2⤵
  PID:3404
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\STARTUP" /grant Administrators:F
  2⤵
  PID:6052
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\XLSTART" /a
  2⤵
  PID:1516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\XLSTART" /grant Administrators:F
  2⤵
  PID:4952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\rsod" /a
  2⤵
  PID:5468
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\rsod" /grant Administrators:F
  2⤵
  PID:4728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates" /a
  2⤵
  PID:5160
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates" /grant Administrators:F
  2⤵
  PID:4000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033" /a
  2⤵
  PID:5796
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033" /grant Administrators:F
  2⤵
  PID:5688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16" /a
  2⤵
  PID:3696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16" /grant Administrators:F
  2⤵
  PID:5896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE" /a
  2⤵
  PID:5960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE" /grant Administrators:F
  2⤵
  PID:1536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16" /a
  2⤵
  PID:2460
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16" /grant Administrators:F
  2⤵
  PID:5216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery" /a
  2⤵
  PID:5900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery" /grant Administrators:F
  2⤵
  PID:5232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs" /a
  2⤵
  PID:5512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs" /grant Administrators:F
  2⤵
  PID:272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs" /a
  2⤵
  PID:1704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs" /grant Administrators:F
  2⤵
  PID:2236
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData" /a
  2⤵
  PID:6124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData" /grant Administrators:F
  2⤵
  PID:5444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft" /a
  2⤵
  PID:5716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft" /grant Administrators:F
  2⤵
  PID:5356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE" /a
  2⤵
  PID:5736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE" /grant Administrators:F
  2⤵
  PID:5608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat" /a
  2⤵
  PID:5744
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat" /grant Administrators:F
  2⤵
  PID:5808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help" /a
  2⤵
  PID:5584
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help" /grant Administrators:F
  2⤵
  PID:3696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Fonts" /a
  2⤵
  PID:5804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Fonts" /grant Administrators:F
  2⤵
  PID:5284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Fonts\private" /a
  2⤵
  PID:4512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Fonts\private" /grant Administrators:F
  2⤵
  PID:4268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64" /a
  2⤵
  PID:6000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64" /grant Administrators:F
  2⤵
  PID:5920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER" /a
  2⤵
  PID:5148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER" /grant Administrators:F
  2⤵
  PID:5428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared" /a
  2⤵
  PID:712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared" /grant Administrators:F
  2⤵
  PID:5424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW" /a
  2⤵
  PID:6124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW" /grant Administrators:F
  2⤵
  PID:5720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" /a
  2⤵
  PID:2136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" /grant Administrators:F
  2⤵
  PID:5764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION" /a
  2⤵
  PID:1068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION" /grant Administrators:F
  2⤵
  PID:1168
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033" /a
  2⤵
  PID:5740
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033" /grant Administrators:F
  2⤵
  PID:5868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO" /a
  2⤵
  PID:6076
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO" /grant Administrators:F
  2⤵
  PID:5804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters" /a
  2⤵
  PID:5944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4132

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x540 0x520
1⤵
PID:4544

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\325309509

Filesize
424KB

MD5
9e4c4943567cf55b615da00933eaa1ab

SHA1
c7f052a5633ae2bb9896737b5a81f45299f37b4b

SHA256
940ef29d76bd52b57eca51afb27eecb9870a33f63367b45fb0c29133237a8a67

SHA512
d0896bf2dfd0f88851015acba5274f6960507b12d2fd8b02755a76a797e1ff9ec19c01068a3d6303a8e0f6da3513d6a7e4ab78e27ddda52c23cd1a93e4b9e44c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\msvcp120ex.dll

Filesize
8.0MB

MD5
ded051be69dd3bca348fa528f52d6eb5

SHA1
dad76cb59c4d8460e45367e97d00f59051235b39

SHA256
a263703159157a5d0c4f327fd64e58b4111ec2ec3df1cfe9537792f44214ecba

SHA512
b1667bcd26e78a08bbf44f48b7413fff37f1edf7fa6d7404f1052e8f31aed9141f6ea3f46b8549f1dbd2f28b3527164ea264b8de419b94c47ccba39721ecabb6

Download Submit
C:\Program Files\Microsoft Office\root\Integration\Addons\67974587

Filesize
26.7MB

MD5
568ba3c5f0b8cd09c2d067bde25e2ff1

SHA1
0f1946fe912cbddba1792d1a65032f38300f0548

SHA256
4a354c3678558f8682603c39193f8d1256a56c22257fb39bebba09123e9a3173

SHA512
a3975630d870d45b54430157e4ec90ecd20f6e2ae228ee0f54ba68bd16535c40be7e82610780550ebce56dc7e46bd036173aa7d427289ee4ec3f852eb728fa1c

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\530246640

Filesize
2.4MB

MD5
3360c59108eee1f264f4e9c67c6241eb

SHA1
133ff08d093de913c666c19afd1cd30bbdfe0f03

SHA256
0034a72cdadebdf716cf0a31ac1b112a3864a6b9c37596614d16888ab46665d0

SHA512
00dba219f41662b676e190a0e6dcdc46f2dbd4c4801b2564102204c49c72db7ded8260c408f993e80f2305364d3d856c679bec4c1f35146823da5d5eb7e83603

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\RCX5B4E.tmp

Filesize
360KB

MD5
218e18002822b9a3f9fbb5b609f24a03

SHA1
b50a0f3a9d2faf51278081a35f131035ad3860b6

SHA256
e33aecf0678644129fd44a7711a50ca3e648bd92d2a2d9559145f2d3207e5f4e

SHA512
e619f4a104def71c06e52a2a0b8a23dfddafec3cf7d7205217c38fc3a1d474aa8f7e0dc398d6b9b19a6eb272a092d3ae164e4fe763630994b90425ff6fa5480d

Download Submit
C:\Users\Admin\AppData\Local\Temp\63256100

Filesize
307KB

MD5
f1a9b4b1f750bb90b7240f38aa3fd939

SHA1
4d630bd6b89f4ba0315ed37035d5e32775a7b969

SHA256
7cc9be747a138d8b9e716ee5f16188215b730af91d9fe954d8e172f515f5b498

SHA512
e4d6eea0e415d27f39224af29cef84bd55fb098b06c7aaee38d6eac34621ca3585bbae0d2fc2938bbe5755fd6d3bbbf47f9c4bc29a6e6914f761c1c76e4a107f

Download Submit
C:\Windows\System32\msconfig.exe

Filesize
35KB

MD5
62f170fb07fdbb79ceb7147101406eb8

SHA1
d9bbb4e4900ff03b0486fac32768170249dad82d

SHA256
53e000f5aa9b3a00934319db8080bb99cb323bf48fc628a64f75d7847c265606

SHA512
81bd918ec7617acea3d8b5659ac518e5bc19e585f49bdd601fff6fadea95f2fd57450ee41d181280089b92c949289249a350aa5428e2e31b53fdff2f47c46265

Download Submit
memory/1416-46-0x00007FFBA5720000-0x00007FFBA61E1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-113-0x000000001CCD0000-0x000000001CD30000-memory.dmp

Filesize
384KB

Download
memory/1416-43-0x00007FFBA5723000-0x00007FFBA5725000-memory.dmp

Filesize
8KB

Download
memory/1416-0-0x00007FFBA5723000-0x00007FFBA5725000-memory.dmp

Filesize
8KB

Download
memory/1416-2-0x00007FFBA5720000-0x00007FFBA61E1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-1-0x00000000004E0000-0x0000000000CF2000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads