9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d

Resubmissions

28/03/2025, 14:59

250328-sc4wsazjx2 10

28/03/2025, 14:53

250328-r9rr2sxwbz 10

27/03/2025, 13:35

250327-qvr9laswew 10

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JKT48.exe
Size

8.0MB
MD5

41f5bac802f5e79dc2ca7a3db25d0001
SHA1

ce56c42cadd2db13edf03c15ce3b11c2cfa00f9e
SHA256

9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d
SHA512

94705e83ce1b104954be07210ea3648c7403a6dd86ebaf6e884ced1552636b6a05a3b2926415d6c49ff251a675815435e4b2a3c8f816bbbf68c08c3299db99ab
SSDEEP

196608:PF35AX/ip4e/aS3e+gr80KILDjhoOX9oeqZ8r8swzH0e:d3KX/o4eSTr80xHhJ8s63

Score

10^/10

bootkit defense_evasion discovery evasion execution exploit impact persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	JKT48.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	JKT48.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 32 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe\Debugger = "*/"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
1532	takeown.exe
600	takeown.exe
1676	Process not Found
2372	Process not Found
2828	Process not Found
1608	Process not Found
1732	Process not Found
788	Process not Found
1532	takeown.exe
2184	icacls.exe
2444	Process not Found
2636	Process not Found
2672	Process not Found
2192	Process not Found
1488	icacls.exe
896	takeown.exe
1588	Process not Found
1516	Process not Found
1400	Process not Found
2240	Process not Found
2424	Process not Found
2596	Process not Found
1520	takeown.exe
2372	takeown.exe
2672	Process not Found
1852	Process not Found
3036	Process not Found
2744	Process not Found
2724	Process not Found
2440	Process not Found
2516	icacls.exe
2832	takeown.exe
1700	Process not Found
200	Process not Found
2492	Process not Found
1360	Process not Found
1980	Process not Found
1460	Process not Found
1648	Process not Found
2036	Process not Found
780	Process not Found
3032	Process not Found
1820	Process not Found
2656	takeown.exe
692	Process not Found
1404	icacls.exe
2000	icacls.exe
228	takeown.exe
1388	takeown.exe
2412	Process not Found
1460	Process not Found
2240	Process not Found
2676	icacls.exe
484	takeown.exe
2060	takeown.exe
1568	icacls.exe
1636	Process not Found
1740	Process not Found
760	takeown.exe
2088	takeown.exe
2132	icacls.exe
2180	Process not Found
2888	Process not Found
2596	takeown.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2544	icacls.exe
1952	takeown.exe
204	takeown.exe
1704	Process not Found
1908	Process not Found
2868	takeown.exe
1952	takeown.exe
2700	Process not Found
888	Process not Found
2372	Process not Found
948	Process not Found
2980	Process not Found
2708	Process not Found
1076	Process not Found
1292	Process not Found
1708	Process not Found
2132	Process not Found
2244	icacls.exe
2820	takeown.exe
2224	icacls.exe
1632	icacls.exe
1188	icacls.exe
2280	icacls.exe
2092	Process not Found
1912	Process not Found
484	takeown.exe
2120	takeown.exe
3016	takeown.exe
2336	takeown.exe
2180	Process not Found
2540	Process not Found
2152	Process not Found
2912	Process not Found
572	icacls.exe
2408	icacls.exe
3024	icacls.exe
1492	Process not Found
1424	Process not Found
2428	Process not Found
2332	takeown.exe
3064	Process not Found
1980	Process not Found
1952	takeown.exe
352	Process not Found
1952	Process not Found
1388	Process not Found
2636	Process not Found
1776	Process not Found
1016	takeown.exe
2900	icacls.exe
1412	Process not Found
2264	Process not Found
2056	takeown.exe
2088	icacls.exe
2600	icacls.exe
2832	Process not Found
2112	Process not Found
2456	Process not Found
1676	Process not Found
216	Process not Found
1456	takeown.exe
2812	takeown.exe
2188	Process not Found
2468	Process not Found

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JKT48.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\windows\system32\taskmgr.exe	JKT48.exe
File created	C:\windows\syswow64\reg.exe	JKT48.exe
File created	C:\windows\syswow64\taskkill.exe	JKT48.exe
File created	C:\windows\syswow64\rundll32.exe	JKT48.exe
File created	C:\windows\syswow64\taskmgr.exe	JKT48.exe
File created	C:\windows\syswow64\resmon.exe	JKT48.exe
File created	C:\windows\syswow64\sethc.exe	JKT48.exe
File created	C:\windows\system32\cmd.exe	JKT48.exe
File created	C:\windows\system32\perfmon.msc	JKT48.exe
File created	C:\windows\system32\logonui.exe	JKT48.exe
File created	C:\windows\system32\winload.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.msc	JKT48.exe
File created	C:\windows\system32\msconfig.exe	JKT48.exe
File created	C:\windows\system32\sethc.exe	JKT48.exe
File created	C:\windows\system32\taskkill.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.exe	JKT48.exe
File created	C:\windows\system32\utilman.exe	JKT48.exe
File created	C:\windows\system32\perfmon.exe	JKT48.exe
File created	C:\windows\system32\sfc.exe	JKT48.exe
File created	C:\windows\syswow64\regedit.exe	JKT48.exe
File created	C:\windows\system32\reg.exe	JKT48.exe
File created	C:\windows\system32\ntoskrnl.exe	JKT48.exe
File created	C:\windows\syswow64\cmd.exe	JKT48.exe
File created	C:\windows\syswow64\sfc.exe	JKT48.exe
File created	C:\windows\system32\resmon.exe	JKT48.exe
File created	C:\windows\system32\rstrui.exe	JKT48.exe
File created	C:\windows\system32\hal.dll	JKT48.exe
File created	C:\windows\system32\rundll32.exe	JKT48.exe
File created	C:\windows\syswow64\utilman.exe	JKT48.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\580085541	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\RCX8DC5.tmp	JKT48.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\316326468	JKT48.exe
File opened for modification	C:\Program Files\DVD Maker\13890929	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\RCX7EE5.tmp	JKT48.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Windows Journal\70949424	JKT48.exe
File opened for modification	C:\Program Files\Windows Sidebar\540415478	JKT48.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX2BCD.tmp	JKT48.exe
File created	C:\Program Files\Microsoft Games\FreeCell\799812007	JKT48.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\155507725	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Windows Sidebar\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\155507725	JKT48.exe
File created	C:\Program Files\7-Zip\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\560551735	JKT48.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\114541536	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\420550546	JKT48.exe
File opened for modification	C:\Program Files\Windows Journal\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\RCX2E6E.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\418067057	JKT48.exe
File created	C:\Program Files\Windows NT\Accessories\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\53853156	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\RCX7D1F.tmp	JKT48.exe
File opened for modification	C:\Program Files\Windows Mail\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Windows Sidebar\540415478	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\351031254	JKT48.exe
File created	C:\Program Files\Java\jre7\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\378129672	JKT48.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\RCXB2F.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\RCX7D20.tmp	JKT48.exe
File created	C:\Program Files\Microsoft Games\Hearts\608795718	JKT48.exe
File created	C:\Program Files\Microsoft Games\Solitaire\418067057	JKT48.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\296506785	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX36FC.tmp	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\834843778	JKT48.exe
File created	C:\Program Files\Microsoft Games\Purble Place\420550546	JKT48.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\DVD Maker\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\RCX8DC4.tmp	JKT48.exe
File created	C:\Program Files\VideoLAN\VLC\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCXD1FE.tmp	JKT48.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\RCXDBF.tmp	JKT48.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\RCX8233.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\RCX8A86.tmp	JKT48.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files (x86)\Google\Update\157493115	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX50C8.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\RCX8234.tmp	JKT48.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\servicing\trustedinstaller.exe	JKT48.exe
File created	C:\windows\regedit.exe	JKT48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1664	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2644	JKT48.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	JKT48.exe
Token: SeDebugPrivilege	2644	JKT48.exe
Token: SeIncBasePriorityPrivilege	2644	JKT48.exe
Token: SeTakeOwnershipPrivilege	332	takeown.exe
Token: SeTakeOwnershipPrivilege	1972	takeown.exe
Token: SeTakeOwnershipPrivilege	952	takeown.exe
Token: SeTakeOwnershipPrivilege	2012	takeown.exe
Token: SeTakeOwnershipPrivilege	2700	takeown.exe
Token: SeTakeOwnershipPrivilege	1652	takeown.exe
Token: SeTakeOwnershipPrivilege	2116	takeown.exe
Token: SeTakeOwnershipPrivilege	692	takeown.exe
Token: SeTakeOwnershipPrivilege	1900	takeown.exe
Token: SeTakeOwnershipPrivilege	2804	takeown.exe
Token: SeTakeOwnershipPrivilege	2852	takeown.exe
Token: SeTakeOwnershipPrivilege	2276	takeown.exe
Token: SeTakeOwnershipPrivilege	2912	takeown.exe
Token: SeTakeOwnershipPrivilege	2820	takeown.exe
Token: SeTakeOwnershipPrivilege	484	takeown.exe
Token: SeTakeOwnershipPrivilege	1668	takeown.exe
Token: SeTakeOwnershipPrivilege	1988	takeown.exe
Token: SeTakeOwnershipPrivilege	1884	takeown.exe
Token: SeTakeOwnershipPrivilege	2484	takeown.exe
Token: SeTakeOwnershipPrivilege	788	takeown.exe
Token: SeTakeOwnershipPrivilege	1456	takeown.exe
Token: SeTakeOwnershipPrivilege	752	takeown.exe
Token: SeTakeOwnershipPrivilege	2456	takeown.exe
Token: SeTakeOwnershipPrivilege	1188	takeown.exe
Token: SeTakeOwnershipPrivilege	1420	takeown.exe
Token: SeTakeOwnershipPrivilege	2784	takeown.exe
Token: SeTakeOwnershipPrivilege	2568	takeown.exe
Token: SeTakeOwnershipPrivilege	2680	takeown.exe
Token: SeTakeOwnershipPrivilege	2612	takeown.exe
Token: SeTakeOwnershipPrivilege	1408	takeown.exe
Token: SeTakeOwnershipPrivilege	1828	takeown.exe
Token: SeTakeOwnershipPrivilege	780	takeown.exe
Token: SeTakeOwnershipPrivilege	2888	takeown.exe
Token: SeTakeOwnershipPrivilege	804	takeown.exe
Token: SeTakeOwnershipPrivilege	2188	takeown.exe
Token: SeTakeOwnershipPrivilege	1476	takeown.exe
Token: SeTakeOwnershipPrivilege	2528	takeown.exe
Token: SeTakeOwnershipPrivilege	332	takeown.exe
Token: SeTakeOwnershipPrivilege	1700	takeown.exe
Token: SeTakeOwnershipPrivilege	1016	takeown.exe
Token: SeTakeOwnershipPrivilege	1772	takeown.exe
Token: SeTakeOwnershipPrivilege	2948	takeown.exe
Token: SeTakeOwnershipPrivilege	1360	takeown.exe
Token: SeTakeOwnershipPrivilege	2920	takeown.exe
Token: SeTakeOwnershipPrivilege	2676	takeown.exe
Token: SeTakeOwnershipPrivilege	600	takeown.exe
Token: SeTakeOwnershipPrivilege	1400	takeown.exe
Token: SeTakeOwnershipPrivilege	1624	takeown.exe
Token: SeTakeOwnershipPrivilege	2828	takeown.exe
Token: SeTakeOwnershipPrivilege	2776	takeown.exe
Token: SeTakeOwnershipPrivilege	2820	takeown.exe
Token: SeTakeOwnershipPrivilege	1716	takeown.exe
Token: SeTakeOwnershipPrivilege	3000	takeown.exe
Token: SeTakeOwnershipPrivilege	908	takeown.exe
Token: SeTakeOwnershipPrivilege	2580	takeown.exe
Token: SeTakeOwnershipPrivilege	1860	takeown.exe
Token: SeTakeOwnershipPrivilege	2856	takeown.exe
Token: SeTakeOwnershipPrivilege	3016	takeown.exe
Token: SeTakeOwnershipPrivilege	1632	takeown.exe
Token: SeTakeOwnershipPrivilege	2960	takeown.exe
Token: SeTakeOwnershipPrivilege	2796	takeown.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe
2644	JKT48.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2776	2644	JKT48.exe	30
PID 2644 wrote to memory of 2776	2644	JKT48.exe	30
PID 2644 wrote to memory of 2776	2644	JKT48.exe	30
PID 2644 wrote to memory of 2704	2644	JKT48.exe	32
PID 2644 wrote to memory of 2704	2644	JKT48.exe	32
PID 2644 wrote to memory of 2704	2644	JKT48.exe	32
PID 2644 wrote to memory of 2752	2644	JKT48.exe	34
PID 2644 wrote to memory of 2752	2644	JKT48.exe	34
PID 2644 wrote to memory of 2752	2644	JKT48.exe	34
PID 2644 wrote to memory of 2592	2644	JKT48.exe	36
PID 2644 wrote to memory of 2592	2644	JKT48.exe	36
PID 2644 wrote to memory of 2592	2644	JKT48.exe	36
PID 2644 wrote to memory of 2560	2644	JKT48.exe	38
PID 2644 wrote to memory of 2560	2644	JKT48.exe	38
PID 2644 wrote to memory of 2560	2644	JKT48.exe	38
PID 2644 wrote to memory of 780	2644	JKT48.exe	40
PID 2644 wrote to memory of 780	2644	JKT48.exe	40
PID 2644 wrote to memory of 780	2644	JKT48.exe	40
PID 2644 wrote to memory of 2096	2644	JKT48.exe	42
PID 2644 wrote to memory of 2096	2644	JKT48.exe	42
PID 2644 wrote to memory of 2096	2644	JKT48.exe	42
PID 2644 wrote to memory of 348	2644	JKT48.exe	44
PID 2644 wrote to memory of 348	2644	JKT48.exe	44
PID 2644 wrote to memory of 348	2644	JKT48.exe	44
PID 2644 wrote to memory of 1104	2644	JKT48.exe	46
PID 2644 wrote to memory of 1104	2644	JKT48.exe	46
PID 2644 wrote to memory of 1104	2644	JKT48.exe	46
PID 2644 wrote to memory of 3028	2644	JKT48.exe	48
PID 2644 wrote to memory of 3028	2644	JKT48.exe	48
PID 2644 wrote to memory of 3028	2644	JKT48.exe	48
PID 2644 wrote to memory of 2144	2644	JKT48.exe	50
PID 2644 wrote to memory of 2144	2644	JKT48.exe	50
PID 2644 wrote to memory of 2144	2644	JKT48.exe	50
PID 2644 wrote to memory of 332	2644	JKT48.exe	52
PID 2644 wrote to memory of 332	2644	JKT48.exe	52
PID 2644 wrote to memory of 332	2644	JKT48.exe	52
PID 2644 wrote to memory of 2092	2644	JKT48.exe	54
PID 2644 wrote to memory of 2092	2644	JKT48.exe	54
PID 2644 wrote to memory of 2092	2644	JKT48.exe	54
PID 2644 wrote to memory of 2344	2644	JKT48.exe	56
PID 2644 wrote to memory of 2344	2644	JKT48.exe	56
PID 2644 wrote to memory of 2344	2644	JKT48.exe	56
PID 2644 wrote to memory of 1232	2644	JKT48.exe	58
PID 2644 wrote to memory of 1232	2644	JKT48.exe	58
PID 2644 wrote to memory of 1232	2644	JKT48.exe	58
PID 2644 wrote to memory of 2528	2644	JKT48.exe	60
PID 2644 wrote to memory of 2528	2644	JKT48.exe	60
PID 2644 wrote to memory of 2528	2644	JKT48.exe	60
PID 2644 wrote to memory of 2640	2644	JKT48.exe	62
PID 2644 wrote to memory of 2640	2644	JKT48.exe	62
PID 2644 wrote to memory of 2640	2644	JKT48.exe	62
PID 2644 wrote to memory of 1464	2644	JKT48.exe	64
PID 2644 wrote to memory of 1464	2644	JKT48.exe	64
PID 2644 wrote to memory of 1464	2644	JKT48.exe	64
PID 2644 wrote to memory of 1972	2644	JKT48.exe	66
PID 2644 wrote to memory of 1972	2644	JKT48.exe	66
PID 2644 wrote to memory of 1972	2644	JKT48.exe	66
PID 2644 wrote to memory of 2184	2644	JKT48.exe	68
PID 2644 wrote to memory of 2184	2644	JKT48.exe	68
PID 2644 wrote to memory of 2184	2644	JKT48.exe	68
PID 2644 wrote to memory of 2244	2644	JKT48.exe	70
PID 2644 wrote to memory of 2244	2644	JKT48.exe	70
PID 2644 wrote to memory of 2244	2644	JKT48.exe	70
PID 2644 wrote to memory of 2932	2644	JKT48.exe	72

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JKT48.exe
"C:\Users\Admin\AppData\Local\Temp\JKT48.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin" /a
  2⤵
  PID:2776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000" /a
  2⤵
  PID:2752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000" /grant Administrators:F
  2⤵
  PID:2592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Documents and Settings" /a
  2⤵
  PID:2560
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Documents and Settings" /grant Administrators:F
  2⤵
  PID:780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache" /a
  2⤵
  PID:2096
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache" /grant Administrators:F
  2⤵
  PID:348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users" /a
  2⤵
  PID:1104
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users" /grant Administrators:F
  2⤵
  PID:3028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2144
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\cmd.exe" /grant Administrators:F
  2⤵
  PID:2344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /a
  2⤵
  PID:1232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /grant Administrators:F
  2⤵
  PID:2528
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\regedit.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /a
  2⤵
  PID:2184
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\regedit.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2244
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /grant Administrators:F
  2⤵
  PID:2932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\reg.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\reg.exe" /grant Administrators:F
  2⤵
  PID:1152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /a
  2⤵
  - Modifies file permissions
  PID:1952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /grant Administrators:F
  2⤵
  PID:1552
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:1688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1620
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskmgr.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:1920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /a
  2⤵
  PID:1188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /grant Administrators:F
  2⤵
  PID:1776
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:1912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /a
  2⤵
  PID:2364
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /grant Administrators:F
  2⤵
  PID:2828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\msconfig.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\msconfig.exe" /grant Administrators:F
  2⤵
  PID:2356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /a
  2⤵
  PID:780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /grant Administrators:F
  2⤵
  PID:908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\utilman.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2340
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\utilman.exe" /grant Administrators:F
  2⤵
  PID:2020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /a
  2⤵
  PID:1336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /a
  2⤵
  PID:2400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /grant Administrators:F
  2⤵
  PID:2104
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sethc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /a
  2⤵
  PID:1972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sethc.exe" /grant Administrators:F
  2⤵
  PID:2184
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /grant Administrators:F
  2⤵
  PID:808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /a
  2⤵
  PID:2276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /grant Administrators:F
  2⤵
  PID:1700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /a
  2⤵
  PID:952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /grant Administrators:F
  2⤵
  PID:2124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.exe" /grant Administrators:F
  2⤵
  PID:2056
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /a
  2⤵
  PID:1236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /grant Administrators:F
  2⤵
  PID:1984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /a
  2⤵
  PID:2440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /grant Administrators:F
  2⤵
  PID:1980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:1920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.msc" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.msc" /grant Administrators:F
  2⤵
  PID:1616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /a
  2⤵
  PID:1704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /grant Administrators:F
  2⤵
  PID:2800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\resmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\resmon.exe" /grant Administrators:F
  2⤵
  PID:3004
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /a
  2⤵
  PID:3000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /grant Administrators:F
  2⤵
  PID:1608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /a
  2⤵
  PID:1396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /grant Administrators:F
  2⤵
  PID:1940
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\logonui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\logonui.exe" /grant Administrators:F
  2⤵
  PID:1448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:1228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /a
  2⤵
  PID:2932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /grant Administrators:F
  2⤵
  PID:332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /a
  2⤵
  PID:2184
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /grant Administrators:F
  2⤵
  PID:2152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /a
  2⤵
  PID:1532
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskkill.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1772
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskkill.exe" /grant Administrators:F
  2⤵
  PID:2124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /a
  2⤵
  PID:2516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /grant Administrators:F
  2⤵
  PID:752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /a
  2⤵
  PID:1268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /grant Administrators:F
  2⤵
  PID:2060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rundll32.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rundll32.exe" /grant Administrators:F
  2⤵
  PID:1728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /a
  2⤵
  PID:1708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /grant Administrators:F
  2⤵
  PID:2980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /a
  2⤵
  PID:2264
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /grant Administrators:F
  2⤵
  PID:2576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rstrui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /a
  2⤵
  PID:2704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rstrui.exe" /grant Administrators:F
  2⤵
  PID:2652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /grant Administrators:F
  2⤵
  PID:3016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs" /a
  2⤵
  PID:1440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs" /grant Administrators:F
  2⤵
  PID:1648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs\Admin" /a
  2⤵
  PID:2188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs\Admin" /grant Administrators:F
  2⤵
  PID:2600
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files" /grant Administrators:F
  2⤵
  PID:1348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sfc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sfc.exe" /grant Administrators:F
  2⤵
  PID:1396
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\winload.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\winload.exe" /grant Administrators:F
  2⤵
  PID:320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip" /a
  2⤵
  PID:3064
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip" /grant Administrators:F
  2⤵
  PID:2064
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\ntoskrnl.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\ntoskrnl.exe" /grant Administrators:F
  2⤵
  PID:356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\7z.exe" /a
  2⤵
  PID:316
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\7z.exe" /grant Administrators:F
  2⤵
  PID:1676
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\Lang" /a
  2⤵
  PID:2092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\Lang" /grant Administrators:F
  2⤵
  PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files" /grant Administrators:F
  2⤵
  PID:896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared" /grant Administrators:F
  2⤵
  PID:2184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Filters" /a
  2⤵
  PID:1108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Filters" /grant Administrators:F
  2⤵
  PID:984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\hal.dll" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\hal.dll" /grant Administrators:F
  2⤵
  PID:1472
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink" /grant Administrators:F
  2⤵
  PID:1984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2676
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /grant Administrators:F
  2⤵
  PID:2912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\servicing\trustedinstaller.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /grant Administrators:F
  2⤵
  PID:1728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\servicing\trustedinstaller.exe" /grant Administrators:F
  2⤵
  PID:2924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /grant Administrators:F
  2⤵
  PID:2712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /grant Administrators:F
  2⤵
  PID:2264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /grant Administrators:F
  2⤵
  PID:2816
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\cmd.exe" /grant Administrators:F
  2⤵
  PID:644
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /grant Administrators:F
  2⤵
  PID:1404
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /grant Administrators:F
  2⤵
  PID:2608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\regedit.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /grant Administrators:F
  2⤵
  PID:484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\regedit.exe" /grant Administrators:F
  2⤵
  PID:1252
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /grant Administrators:F
  2⤵
  PID:1548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /grant Administrators:F
  2⤵
  PID:2416
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /grant Administrators:F
  2⤵
  PID:2120
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /grant Administrators:F
  2⤵
  PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /grant Administrators:F
  2⤵
  PID:848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\reg.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /grant Administrators:F
  2⤵
  PID:832
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\reg.exe" /grant Administrators:F
  2⤵
  PID:2848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /grant Administrators:F
  2⤵
  PID:1572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /grant Administrators:F
  2⤵
  PID:1980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /grant Administrators:F
  2⤵
  PID:2456
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /grant Administrators:F
  2⤵
  PID:1468
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskmgr.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /grant Administrators:F
  2⤵
  PID:2936
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:2040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /grant Administrators:F
  2⤵
  PID:2672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /grant Administrators:F
  2⤵
  PID:692
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /grant Administrators:F
  2⤵
  PID:296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /grant Administrators:F
  2⤵
  PID:2552
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /grant Administrators:F
  2⤵
  PID:2108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\utilman.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\utilman.exe" /grant Administrators:F
  2⤵
  PID:580
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /grant Administrators:F
  2⤵
  PID:1004
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /grant Administrators:F
  2⤵
  PID:1612
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /grant Administrators:F
  2⤵
  PID:2188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /grant Administrators:F
  2⤵
  PID:1464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /grant Administrators:F
  2⤵
  PID:284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /grant Administrators:F
  2⤵
  PID:928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.exe" /grant Administrators:F
  2⤵
  PID:2372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /a
  2⤵
  PID:1568
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /grant Administrators:F
  2⤵
  PID:2052
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /a
  2⤵
  PID:608
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /grant Administrators:F
  2⤵
  PID:1460
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /a
  2⤵
  PID:1552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /grant Administrators:F
  2⤵
  PID:844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /a
  2⤵
  PID:1268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /grant Administrators:F
  2⤵
  PID:848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /a
  2⤵
  PID:1980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /grant Administrators:F
  2⤵
  PID:1204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.msc" /a
  2⤵
  PID:316
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /a
  2⤵
  PID:2428
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.msc" /grant Administrators:F
  2⤵
  PID:2156
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /grant Administrators:F
  2⤵
  PID:1896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /a
  2⤵
  PID:3032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /grant Administrators:F
  2⤵
  PID:1520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /a
  2⤵
  PID:2744
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /grant Administrators:F
  2⤵
  PID:2800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /a
  2⤵
  PID:2540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /grant Administrators:F
  2⤵
  PID:2712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /a
  2⤵
  PID:2604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /grant Administrators:F
  2⤵
  PID:1776
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\resmon.exe" /a
  2⤵
  PID:2680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /a
  2⤵
  PID:2560
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /grant Administrators:F
  2⤵
  PID:2672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\resmon.exe" /grant Administrators:F
  2⤵
  PID:2040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /a
  2⤵
  PID:1064
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /grant Administrators:F
  2⤵
  PID:584
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /a
  2⤵
  PID:2984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /grant Administrators:F
  2⤵
  PID:2764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /a
  2⤵
  PID:2600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /grant Administrators:F
  2⤵
  PID:1988
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /a
  2⤵
  PID:2380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1404
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /a
  2⤵
  PID:780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /grant Administrators:F
  2⤵
  PID:2804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sethc.exe" /a
  2⤵
  PID:2268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /a
  2⤵
  PID:2388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sethc.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Administrators:F
  2⤵
  PID:1348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /a
  2⤵
  PID:2376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /grant Administrators:F
  2⤵
  PID:1724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /a
  2⤵
  PID:1736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /grant Administrators:F
  2⤵
  PID:1640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /a
  2⤵
  PID:2492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /grant Administrators:F
  2⤵
  PID:2280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /a
  2⤵
  PID:2024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskkill.exe" /a
  2⤵
  - Modifies file permissions
  PID:2120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /grant Administrators:F
  2⤵
  PID:2052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskkill.exe" /grant Administrators:F
  2⤵
  PID:844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /a
  2⤵
  PID:3020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /grant Administrators:F
  2⤵
  PID:1152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /a
  2⤵
  PID:1980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /grant Administrators:F
  2⤵
  PID:1060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /a
  2⤵
  PID:2060
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /grant Administrators:F
  2⤵
  PID:2012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /a
  2⤵
  PID:2428
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /grant Administrators:F
  2⤵
  PID:2696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sfc.exe" /a
  2⤵
  PID:2760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /a
  2⤵
  PID:1732
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sfc.exe" /grant Administrators:F
  2⤵
  PID:1408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /grant Administrators:F
  2⤵
  PID:1520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /a
  2⤵
  PID:348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /grant Administrators:F
  2⤵
  PID:2552
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /a
  2⤵
  PID:2680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /grant Administrators:F
  2⤵
  PID:1716
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Stationery" /a
  2⤵
  - Modifies file permissions
  PID:2056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Stationery" /grant Administrators:F
  2⤵
  PID:2724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\rundll32.exe" /a
  2⤵
  PID:836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv" /a
  2⤵
  PID:2212
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv" /grant Administrators:F
  2⤵
  PID:1824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\rundll32.exe" /grant Administrators:F
  2⤵
  PID:2412
- C:\windows\system32\vssadmin.exe
  "C:\windows\system32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1664
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /a
  2⤵
  PID:1860
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /a
  2⤵
  PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /grant Administrators:F
  2⤵
  PID:1348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /a
  2⤵
  PID:2736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /grant Administrators:F
  2⤵
  PID:1464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /a
  2⤵
  PID:2116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /grant Administrators:F
  2⤵
  PID:2504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /a
  2⤵
  PID:1952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /grant Administrators:F
  2⤵
  PID:1532
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /a
  2⤵
  PID:2236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /grant Administrators:F
  2⤵
  PID:2492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit" /a
  2⤵
  PID:332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit" /grant Administrators:F
  2⤵
  PID:1700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /a
  2⤵
  PID:1568
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /grant Administrators:F
  2⤵
  PID:2444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /a
  2⤵
  PID:2000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /grant Administrators:F
  2⤵
  PID:1156
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /a
  2⤵
  PID:344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /grant Administrators:F
  2⤵
  PID:2012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /a
  2⤵
  PID:1204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /grant Administrators:F
  2⤵
  PID:1728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /a
  2⤵
  PID:1516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /grant Administrators:F
  2⤵
  PID:2868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /a
  2⤵
  PID:2428
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /grant Administrators:F
  2⤵
  PID:2716
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VC" /a
  2⤵
  PID:2264
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VC" /grant Administrators:F
  2⤵
  PID:2452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VGX" /a
  2⤵
  PID:1820
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VGX" /grant Administrators:F
  2⤵
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO" /a
  2⤵
  PID:2184
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO" /grant Administrators:F
  2⤵
  PID:600
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /a
  2⤵
  PID:1356
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /grant Administrators:F
  2⤵
  PID:1648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /a
  2⤵
  PID:1396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Administrators:F
  2⤵
  PID:2832
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /a
  2⤵
  PID:3016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /grant Administrators:F
  2⤵
  PID:3028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Services" /a
  2⤵
  PID:1656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Services" /grant Administrators:F
  2⤵
  PID:1632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines" /a
  2⤵
  PID:2736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines" /grant Administrators:F
  2⤵
  PID:2652
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft" /a
  2⤵
  PID:2636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /a
  2⤵
  PID:1956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /grant Administrators:F
  2⤵
  PID:1688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /a
  2⤵
  PID:2468
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /grant Administrators:F
  2⤵
  PID:3008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /a
  2⤵
  PID:2960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /grant Administrators:F
  2⤵
  PID:2180
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /a
  2⤵
  PID:832
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /grant Administrators:F
  2⤵
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /a
  2⤵
  PID:884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /grant Administrators:F
  2⤵
  PID:1060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /a
  2⤵
  PID:1532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /a
  2⤵
  PID:1896
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /grant Administrators:F
  2⤵
  PID:2332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /a
  2⤵
  PID:2848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /grant Administrators:F
  2⤵
  PID:1816
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System" /a
  2⤵
  PID:2668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System" /grant Administrators:F
  2⤵
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado" /a
  2⤵
  PID:2016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado" /grant Administrators:F
  2⤵
  PID:2036
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\de-DE" /a
  2⤵
  PID:2800
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\de-DE" /grant Administrators:F
  2⤵
  PID:296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\en-US" /a
  2⤵
  PID:1616
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\en-US" /grant Administrators:F
  2⤵
  PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\es-ES" /a
  2⤵
  - Modifies file permissions
  PID:2868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\es-ES" /grant Administrators:F
  2⤵
  PID:1652
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\fr-FR" /a
  2⤵
  PID:1260
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\fr-FR" /grant Administrators:F
  2⤵
  PID:2828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\it-IT" /a
  2⤵
  PID:200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\it-IT" /grant Administrators:F
  2⤵
  PID:232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\ja-JP" /a
  2⤵
  PID:2064
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\ja-JP" /grant Administrators:F
  2⤵
  PID:1940
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\de-DE" /a
  2⤵
  PID:1396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\de-DE" /grant Administrators:F
  2⤵
  PID:1252
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\en-US" /a
  2⤵
  PID:2192
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\en-US" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\es-ES" /a
  2⤵
  PID:1520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\es-ES" /grant Administrators:F
  2⤵
  PID:2144
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\fr-FR" /a
  2⤵
  PID:1884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\fr-FR" /grant Administrators:F
  2⤵
  PID:900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\it-IT" /a
  2⤵
  PID:2972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\it-IT" /grant Administrators:F
  2⤵
  PID:1632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ja-JP" /a
  2⤵
  PID:2188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ja-JP" /grant Administrators:F
  2⤵
  PID:356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc" /a
  2⤵
  PID:608
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc" /grant Administrators:F
  2⤵
  PID:1360
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\de-DE" /a
  2⤵
  PID:2244
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\de-DE" /grant Administrators:F
  2⤵
  PID:2496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\en-US" /a
  2⤵
  PID:1720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\en-US" /grant Administrators:F
  2⤵
  PID:1460
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\es-ES" /a
  2⤵
  PID:1700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\es-ES" /grant Administrators:F
  2⤵
  PID:2464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\fr-FR" /a
  2⤵
  PID:448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\fr-FR" /grant Administrators:F
  2⤵
  PID:2860
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\it-IT" /a
  2⤵
  PID:2592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\it-IT" /grant Administrators:F
  2⤵
  PID:1020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\ja-JP" /a
  2⤵
  PID:2332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\ja-JP" /grant Administrators:F
  2⤵
  PID:1896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB" /a
  2⤵
  PID:1684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB" /grant Administrators:F
  2⤵
  PID:2564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\de-DE" /a
  2⤵
  PID:1400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\de-DE" /grant Administrators:F
  2⤵
  PID:2752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\en-US" /a
  2⤵
  PID:2560
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\en-US" /grant Administrators:F
  2⤵
  PID:2184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\es-ES" /a
  2⤵
  PID:1820
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\es-ES" /grant Administrators:F
  2⤵
  PID:2544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\fr-FR" /a
  2⤵
  PID:1356
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\fr-FR" /grant Administrators:F
  2⤵
  PID:208
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\it-IT" /a
  2⤵
  PID:2856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\it-IT" /grant Administrators:F
  2⤵
  PID:1476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\ja-JP" /a
  2⤵
  PID:1880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\ja-JP" /grant Administrators:F
  2⤵
  PID:2200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker" /a
  2⤵
  PID:232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker" /grant Administrators:F
  2⤵
  PID:2016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\DVDMaker.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\DVDMaker.exe" /grant Administrators:F
  2⤵
  PID:2600
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\de-DE" /a
  2⤵
  PID:1676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\de-DE" /grant Administrators:F
  2⤵
  PID:2292
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\en-US" /a
  2⤵
  - Modifies file permissions
  PID:3016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\en-US" /grant Administrators:F
  2⤵
  PID:2088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\es-ES" /a
  2⤵
  PID:952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\es-ES" /grant Administrators:F
  2⤵
  PID:1692
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\fr-FR" /a
  2⤵
  PID:1456
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\fr-FR" /grant Administrators:F
  2⤵
  PID:1472
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\it-IT" /a
  2⤵
  PID:1156
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\it-IT" /grant Administrators:F
  2⤵
  PID:2496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\ja-JP" /a
  2⤵
  PID:1884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\ja-JP" /grant Administrators:F
  2⤵
  PID:2284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared" /a
  2⤵
  PID:2256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared" /grant Administrators:F
  2⤵
  PID:2968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles" /a
  2⤵
  PID:2156
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles" /grant Administrators:F
  2⤵
  PID:2596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /a
  2⤵
  PID:316
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /grant Administrators:F
  2⤵
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /a
  2⤵
  - Possible privilege escalation attempt
  PID:760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /grant Administrators:F
  2⤵
  PID:2912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /a
  2⤵
  PID:996
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /grant Administrators:F
  2⤵
  PID:496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /a
  2⤵
  PID:1624
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /grant Administrators:F
  2⤵
  PID:2428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /a
  2⤵
  PID:1288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /a
  2⤵
  PID:1896
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /grant Administrators:F
  2⤵
  PID:1420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /a
  2⤵
  PID:2536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /grant Administrators:F
  2⤵
  PID:1648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /a
  2⤵
  PID:224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /grant Administrators:F
  2⤵
  PID:2932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /a
  2⤵
  - Possible privilege escalation attempt
  PID:484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /grant Administrators:F
  2⤵
  PID:200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /a
  2⤵
  PID:1968
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /grant Administrators:F
  2⤵
  PID:1912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /a
  2⤵
  PID:1348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /grant Administrators:F
  2⤵
  PID:2820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /a
  2⤵
  PID:2200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /grant Administrators:F
  2⤵
  PID:216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /a
  2⤵
  PID:2980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /grant Administrators:F
  2⤵
  PID:2376
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /a
  2⤵
  PID:2824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /grant Administrators:F
  2⤵
  PID:2412
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /a
  2⤵
  PID:804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /grant Administrators:F
  2⤵
  PID:1932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /a
  2⤵
  PID:952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /grant Administrators:F
  2⤵
  PID:876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /a
  2⤵
  PID:2120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /grant Administrators:F
  2⤵
  PID:1460
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /grant Administrators:F
  2⤵
  PID:1076
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /a
  2⤵
  PID:3032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /grant Administrators:F
  2⤵
  PID:2844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /a
  2⤵
  PID:2364
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /grant Administrators:F
  2⤵
  PID:2968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google" /a
  2⤵
  PID:1532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google" /grant Administrators:F
  2⤵
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome" /a
  2⤵
  PID:2144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome" /grant Administrators:F
  2⤵
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application" /a
  2⤵
  PID:2528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application" /grant Administrators:F
  2⤵
  PID:332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\chrome.exe" /a
  2⤵
  PID:2328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" /grant Administrators:F
  2⤵
  PID:2744
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /a
  2⤵
  PID:2752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /grant Administrators:F
  2⤵
  PID:2444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /a
  2⤵
  PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /grant Administrators:F
  2⤵
  PID:204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /a
  2⤵
  PID:2240
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /a
  2⤵
  PID:200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /grant Administrators:F
  2⤵
  PID:2176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /a
  2⤵
  PID:1524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /grant Administrators:F
  2⤵
  PID:1852
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /a
  2⤵
  PID:2356
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /grant Administrators:F
  2⤵
  PID:908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /a
  2⤵
  PID:1824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /grant Administrators:F
  2⤵
  PID:2736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /a
  2⤵
  PID:2956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /grant Administrators:F
  2⤵
  PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /a
  2⤵
  PID:804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /grant Administrators:F
  2⤵
  PID:2796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2060
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /grant Administrators:F
  2⤵
  PID:2292
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /a
  2⤵
  PID:344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /grant Administrators:F
  2⤵
  PID:2972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /a
  2⤵
  PID:2228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /grant Administrators:F
  2⤵
  PID:1984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\SetupMetrics" /a
  2⤵
  PID:1900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\SetupMetrics" /grant Administrators:F
  2⤵
  PID:1588
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer" /a
  2⤵
  PID:2576
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer" /grant Administrators:F
  2⤵
  PID:2156
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\iediagcmd.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\iediagcmd.exe" /grant Administrators:F
  2⤵
  PID:2028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\de-DE" /a
  2⤵
  PID:2096
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\de-DE" /grant Administrators:F
  2⤵
  PID:760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\en-US" /a
  2⤵
  PID:1216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\en-US" /grant Administrators:F
  2⤵
  PID:332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\es-ES" /a
  2⤵
  PID:2428
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\es-ES" /grant Administrators:F
  2⤵
  PID:2548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\fr-FR" /a
  2⤵
  PID:1704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\fr-FR" /grant Administrators:F
  2⤵
  PID:2468
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\images" /a
  2⤵
  PID:2672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\images" /grant Administrators:F
  2⤵
  PID:1896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\it-IT" /a
  2⤵
  PID:212
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\it-IT" /grant Administrators:F
  2⤵
  PID:1612
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ja-JP" /a
  2⤵
  PID:296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ja-JP" /grant Administrators:F
  2⤵
  PID:2360
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\SIGNUP" /a
  2⤵
  PID:1408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\SIGNUP" /grant Administrators:F
  2⤵
  PID:1260
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java" /a
  2⤵
  PID:2480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java" /grant Administrators:F
  2⤵
  PID:2600
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80" /a
  2⤵
  PID:2108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80" /grant Administrators:F
  2⤵
  PID:644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin" /a
  2⤵
  PID:2356
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin" /grant Administrators:F
  2⤵
  PID:1636
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /a
  2⤵
  PID:1540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /grant Administrators:F
  2⤵
  PID:1824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db" /a
  2⤵
  PID:2376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db" /grant Administrators:F
  2⤵
  PID:2864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\bin" /a
  2⤵
  PID:1692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\bin" /grant Administrators:F
  2⤵
  PID:3068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\lib" /a
  2⤵
  PID:356
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\lib" /grant Administrators:F
  2⤵
  PID:2192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include" /a
  2⤵
  PID:984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include" /grant Administrators:F
  2⤵
  PID:1876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32" /a
  2⤵
  PID:3032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32" /grant Administrators:F
  2⤵
  PID:1588
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /a
  2⤵
  PID:928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /grant Administrators:F
  2⤵
  PID:1448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre" /a
  2⤵
  PID:1992
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre" /grant Administrators:F
  2⤵
  PID:2364
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /a
  2⤵
  PID:316
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /grant Administrators:F
  2⤵
  PID:2028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /a
  2⤵
  PID:692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:2776
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /a
  2⤵
  PID:1412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /grant Administrators:F
  2⤵
  PID:1216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /a
  2⤵
  PID:2744
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /grant Administrators:F
  2⤵
  PID:448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /a
  2⤵
  PID:2616
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /grant Administrators:F
  2⤵
  PID:2112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /a
  2⤵
  PID:2336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /grant Administrators:F
  2⤵
  PID:2536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /a
  2⤵
  PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /grant Administrators:F
  2⤵
  PID:2064
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /a
  2⤵
  PID:2160
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /grant Administrators:F
  2⤵
  PID:1488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /a
  2⤵
  PID:2800
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /grant Administrators:F
  2⤵
  PID:296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /a
  2⤵
  PID:2388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /grant Administrators:F
  2⤵
  PID:1880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /a
  2⤵
  PID:1292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /grant Administrators:F
  2⤵
  PID:644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /grant Administrators:F
  2⤵
  PID:2980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /a
  2⤵
  PID:948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /a
  2⤵
  PID:2636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /grant Administrators:F
  2⤵
  PID:1688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /a
  2⤵
  PID:1492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /a
  2⤵
  PID:2652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /grant Administrators:F
  2⤵
  PID:3068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /a
  2⤵
  PID:2412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /grant Administrators:F
  2⤵
  PID:2116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /a
  2⤵
  PID:752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /grant Administrators:F
  2⤵
  PID:1472
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /a
  2⤵
  PID:2796
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /grant Administrators:F
  2⤵
  PID:2000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2596
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /a
  2⤵
  PID:2180
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /grant Administrators:F
  2⤵
  PID:1944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /grant Administrators:F
  2⤵
  PID:3012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /a
  2⤵
  - Possible privilege escalation attempt
  PID:600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /grant Administrators:F
  2⤵
  PID:2328
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /a
  2⤵
  PID:332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /a
  2⤵
  PID:2432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /grant Administrators:F
  2⤵
  PID:2548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /a
  2⤵
  PID:1412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /grant Administrators:F
  2⤵
  PID:1624
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /a
  2⤵
  PID:2464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /grant Administrators:F
  2⤵
  PID:2536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /a
  2⤵
  PID:2608
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /a
  2⤵
  PID:696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /grant Administrators:F
  2⤵
  PID:1612
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /a
  2⤵
  PID:1168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /grant Administrators:F
  2⤵
  PID:2724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /a
  2⤵
  PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /grant Administrators:F
  2⤵
  PID:992
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /a
  2⤵
  PID:1972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /grant Administrators:F
  2⤵
  PID:2016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /a
  2⤵
  PID:2856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /grant Administrators:F
  2⤵
  PID:1852
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /a
  2⤵
  PID:2660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /grant Administrators:F
  2⤵
  PID:2372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib" /a
  2⤵
  PID:2440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /a
  2⤵
  PID:1404
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /grant Administrators:F
  2⤵
  PID:2188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /a
  2⤵
  PID:1460
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /grant Administrators:F
  2⤵
  PID:2652
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /a
  2⤵
  - Modifies file permissions
  PID:1952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /a
  2⤵
  PID:2284
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /grant Administrators:F
  2⤵
  PID:1884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /a
  2⤵
  PID:2256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /grant Administrators:F
  2⤵
  PID:756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /a
  2⤵
  PID:2000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /grant Administrators:F
  2⤵
  PID:1456
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /a
  2⤵
  PID:2484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /a
  2⤵
  PID:888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2180
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /a
  2⤵
  PID:2572
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2368
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /a
  2⤵
  PID:2332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /a
  2⤵
  PID:760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /a
  2⤵
  PID:2432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /a
  2⤵
  PID:2672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /a
  2⤵
  PID:2900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /grant Administrators:F
  2⤵
  PID:1912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /a
  2⤵
  PID:2452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /grant Administrators:F
  2⤵
  PID:780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /a
  2⤵
  PID:208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /grant Administrators:F
  2⤵
  PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /a
  2⤵
  PID:2600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /grant Administrators:F
  2⤵
  PID:1916
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /a
  2⤵
  PID:992
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2832
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:1572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:1688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  PID:2980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1568
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /a
  2⤵
  PID:900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:1824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /a
  2⤵
  PID:2236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:2412
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /a
  2⤵
  - Modifies file permissions
  PID:1952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /grant Administrators:F
  2⤵
  PID:2956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /a
  2⤵
  PID:1552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:2052
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  PID:756
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:2596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  PID:2448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:2612
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  PID:2568
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  PID:2528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:2708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /a
  2⤵
  PID:2484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /grant Administrators:F
  2⤵
  PID:1700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /a
  2⤵
  PID:2112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /grant Administrators:F
  2⤵
  PID:896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /a
  2⤵
  PID:2096
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /grant Administrators:F
  2⤵
  PID:1212
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /a
  2⤵
  PID:1648
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /grant Administrators:F
  2⤵
  PID:2888
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /a
  2⤵
  PID:2456
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /grant Administrators:F
  2⤵
  PID:2536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /a
  2⤵
  PID:2696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /grant Administrators:F
  2⤵
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /a
  2⤵
  PID:780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /grant Administrators:F
  2⤵
  PID:2800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /a
  2⤵
  - Modifies file permissions
  PID:2812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /grant Administrators:F
  2⤵
  PID:1956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /a
  2⤵
  PID:2600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /grant Administrators:F
  2⤵
  PID:2388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /a
  2⤵
  PID:1232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /grant Administrators:F
  2⤵
  PID:1348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /a
  2⤵
  PID:1676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /grant Administrators:F
  2⤵
  PID:1852
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /a
  2⤵
  PID:1724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /grant Administrators:F
  2⤵
  PID:2492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /a
  2⤵
  PID:1568
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /grant Administrators:F
  2⤵
  PID:232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /a
  2⤵
  PID:1520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /grant Administrators:F
  2⤵
  PID:1108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /a
  2⤵
  PID:2412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /grant Administrators:F
  2⤵
  PID:2192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /a
  2⤵
  PID:1876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /grant Administrators:F
  2⤵
  PID:944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /a
  2⤵
  PID:1152
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /grant Administrators:F
  2⤵
  PID:1632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /a
  2⤵
  PID:2956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /grant Administrators:F
  2⤵
  PID:1456
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /a
  2⤵
  PID:2656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /grant Administrators:F
  2⤵
  PID:2540
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /a
  2⤵
  PID:2568
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /grant Administrators:F
  2⤵
  PID:1684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /a
  2⤵
  PID:2180
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /grant Administrators:F
  2⤵
  PID:2912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /a
  2⤵
  PID:2784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /grant Administrators:F
  2⤵
  PID:1412
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /a
  2⤵
  - Possible privilege escalation attempt
  PID:896
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /a
  2⤵
  PID:2264
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /grant Administrators:F
  2⤵
  PID:332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon" /a
  2⤵
  PID:1204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon" /grant Administrators:F
  2⤵
  PID:2868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css" /a
  2⤵
  PID:2888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css" /grant Administrators:F
  2⤵
  PID:1356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs" /a
  2⤵
  PID:2452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs" /grant Administrators:F
  2⤵
  PID:484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html" /a
  2⤵
  PID:1028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html" /grant Administrators:F
  2⤵
  PID:2724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons" /a
  2⤵
  PID:208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons" /grant Administrators:F
  2⤵
  PID:908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF" /a
  2⤵
  PID:2672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF" /grant Administrators:F
  2⤵
  PID:1168
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303" /a
  2⤵
  PID:1016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons" /a
  2⤵
  PID:1232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons" /grant Administrators:F
  2⤵
  PID:1740
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib" /a
  2⤵
  PID:1688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib" /grant Administrators:F
  2⤵
  PID:1908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF" /a
  2⤵
  PID:2736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF" /grant Administrators:F
  2⤵
  PID:2652
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema" /grant Administrators:F
  2⤵
  PID:1540
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033" /a
  2⤵
  PID:2832
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033" /grant Administrators:F
  2⤵
  PID:2120
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF" /a
  2⤵
  PID:928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF" /grant Administrators:F
  2⤵
  PID:2596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717" /a
  2⤵
  PID:1876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717" /grant Administrators:F
  2⤵
  PID:884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css" /a
  2⤵
  PID:2364
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css" /grant Administrators:F
  2⤵
  PID:352
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark" /a
  2⤵
  PID:1592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark" /grant Administrators:F
  2⤵
  PID:572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images" /a
  2⤵
  PID:2328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images" /grant Administrators:F
  2⤵
  PID:1704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF" /a
  2⤵
  PID:2028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF" /grant Administrators:F
  2⤵
  PID:2744
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm" /a
  2⤵
  PID:2548
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm" /grant Administrators:F
  2⤵
  PID:1516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc" /a
  2⤵
  PID:2784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc" /grant Administrators:F
  2⤵
  PID:2752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform" /a
  2⤵
  PID:2036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform" /grant Administrators:F
  2⤵
  PID:2436
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config" /a
  2⤵
  PID:200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config" /grant Administrators:F
  2⤵
  PID:1912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps" /a
  2⤵
  PID:696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps" /grant Administrators:F
  2⤵
  PID:1616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules" /a
  2⤵
  PID:2932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules" /grant Administrators:F
  2⤵
  PID:2480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core" /a
  2⤵
  PID:1300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2600
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale" /a
  2⤵
  PID:2724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale" /grant Administrators:F
  2⤵
  PID:2348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib" /a
  2⤵
  PID:228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib" /grant Administrators:F
  2⤵
  PID:1636
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe" /a
  2⤵
  PID:788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe" /grant Administrators:F
  2⤵
  PID:2024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale" /a
  2⤵
  PID:2276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale" /grant Administrators:F
  2⤵
  PID:1016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules" /a
  2⤵
  PID:2116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules" /grant Administrators:F
  2⤵
  PID:2844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext" /a
  2⤵
  PID:900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext" /grant Administrators:F
  2⤵
  PID:1540
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale" /a
  2⤵
  PID:1720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale" /grant Administrators:F
  2⤵
  PID:2076
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale" /a
  2⤵
  PID:752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale" /grant Administrators:F
  2⤵
  PID:756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking" /a
  2⤵
  PID:1980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking" /grant Administrators:F
  2⤵
  PID:1456
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler" /a
  2⤵
  PID:1424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler" /grant Administrators:F
  2⤵
  PID:928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config" /a
  2⤵
  PID:2816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config" /grant Administrators:F
  2⤵
  PID:2708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules" /a
  2⤵
  PID:2528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules" /grant Administrators:F
  2⤵
  PID:2328
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib" /a
  2⤵
  PID:536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib" /grant Administrators:F
  2⤵
  PID:1624
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed" /a
  2⤵
  PID:1288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed" /grant Administrators:F
  2⤵
  PID:972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15" /a
  2⤵
  PID:1400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15" /grant Administrators:F
  2⤵
  PID:2264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64" /a
  2⤵
  - Modifies file permissions
  PID:204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64" /grant Administrators:F
  2⤵
  PID:2784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16" /a
  2⤵
  - Modifies file permissions
  PID:2336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16" /grant Administrators:F
  2⤵
  PID:2400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64" /a
  2⤵
  PID:2068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64" /grant Administrators:F
  2⤵
  PID:696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale" /a
  2⤵
  PID:2056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2132
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules" /a
  2⤵
  PID:296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules" /grant Administrators:F
  2⤵
  PID:908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale" /a
  2⤵
  PID:1260
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale" /grant Administrators:F
  2⤵
  PID:2388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking" /a
  2⤵
  PID:1888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking" /grant Administrators:F
  2⤵
  PID:1300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm" /a
  2⤵
  PID:1388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm" /grant Administrators:F
  2⤵
  PID:2980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config" /a
  2⤵
  PID:2376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config" /grant Administrators:F
  2⤵
  PID:2764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules" /a
  2⤵
  PID:1016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules" /grant Administrators:F
  2⤵
  PID:3068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core" /a
  2⤵
  PID:1656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core" /grant Administrators:F
  2⤵
  PID:3020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale" /a
  2⤵
  PID:2516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale" /grant Administrators:F
  2⤵
  PID:1720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules" /a
  2⤵
  PID:1520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules" /grant Administrators:F
  2⤵
  PID:2556
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale" /a
  2⤵
  PID:2796
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale" /grant Administrators:F
  2⤵
  PID:1728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking" /a
  2⤵
  PID:2144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking" /grant Administrators:F
  2⤵
  PID:1876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7" /a
  2⤵
  PID:352
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7" /grant Administrators:F
  2⤵
  PID:2584
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin" /grant Administrators:F
  2⤵
  PID:2612
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\jabswitch.exe" /a
  2⤵
  PID:2028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\dtplugin" /a
  2⤵
  PID:1396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\dtplugin" /grant Administrators:F
  2⤵
  PID:1820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\plugin2" /a
  2⤵
  PID:2712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\plugin2" /grant Administrators:F
  2⤵
  PID:1968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\server" /a
  2⤵
  PID:2696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\server" /grant Administrators:F
  2⤵
  PID:1652
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib" /a
  2⤵
  PID:2528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib" /grant Administrators:F
  2⤵
  PID:536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\amd64" /a
  2⤵
  PID:1420
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\amd64" /grant Administrators:F
  2⤵
  PID:2464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\applet" /a
  2⤵
  PID:2108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\applet" /grant Administrators:F
  2⤵
  PID:2932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\cmm" /a
  2⤵
  PID:1776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\cmm" /grant Administrators:F
  2⤵
  PID:2828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\deploy" /a
  2⤵
  PID:2856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\deploy" /grant Administrators:F
  2⤵
  PID:2800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\ext" /a
  2⤵
  PID:2428
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\ext" /grant Administrators:F
  2⤵
  PID:2440
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\fonts" /a
  2⤵
  PID:788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\fonts" /grant Administrators:F
  2⤵
  PID:1348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\images" /a
  2⤵
  PID:1460
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\images" /grant Administrators:F
  2⤵
  PID:2088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\images\cursors" /a
  2⤵
  PID:1656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:2376
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\jfr" /a
  2⤵
  PID:1880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\jfr" /grant Administrators:F
  2⤵
  PID:2788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\management" /a
  2⤵
  PID:2192
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\management" /grant Administrators:F
  2⤵
  PID:900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\security" /a
  2⤵
  PID:1952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\security" /grant Administrators:F
  2⤵
  PID:1152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi" /a
  2⤵
  PID:2000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi" /grant Administrators:F
  2⤵
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Africa" /a
  2⤵
  PID:1512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Africa" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America" /a
  2⤵
  PID:1200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America" /grant Administrators:F
  2⤵
  PID:496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Argentina" /a
  2⤵
  PID:1412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Argentina" /grant Administrators:F
  2⤵
  PID:2432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Indiana" /a
  2⤵
  PID:2036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Indiana" /grant Administrators:F
  2⤵
  PID:1820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Kentucky" /a
  2⤵
  PID:1396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Kentucky" /grant Administrators:F
  2⤵
  PID:2052
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota" /a
  2⤵
  - Modifies file permissions
  PID:2332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota" /grant Administrators:F
  2⤵
  PID:1212
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Antarctica" /a
  2⤵
  PID:1408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Antarctica" /grant Administrators:F
  2⤵
  PID:2452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Asia" /a
  2⤵
  PID:2696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Asia" /grant Administrators:F
  2⤵
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Atlantic" /a
  2⤵
  PID:2776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Atlantic" /grant Administrators:F
  2⤵
  PID:696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Australia" /a
  2⤵
  PID:1916
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Australia" /grant Administrators:F
  2⤵
  PID:536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Etc" /a
  2⤵
  PID:2752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Etc" /grant Administrators:F
  2⤵
  PID:780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Europe" /a
  2⤵
  PID:228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Europe" /grant Administrators:F
  2⤵
  PID:2016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Indian" /a
  2⤵
  PID:1736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Indian" /grant Administrators:F
  2⤵
  PID:3028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Pacific" /a
  2⤵
  PID:2276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Pacific" /grant Administrators:F
  2⤵
  PID:2188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\SystemV" /a
  2⤵
  PID:232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\SystemV" /grant Administrators:F
  2⤵
  PID:1348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games" /a
  2⤵
  PID:1908
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games" /grant Administrators:F
  2⤵
  PID:1300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess" /a
  2⤵
  PID:2348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess" /grant Administrators:F
  2⤵
  PID:2024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\Chess.exe" /a
  2⤵
  PID:1540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\Chess.exe" /grant Administrators:F
  2⤵
  PID:1188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\de-DE" /a
  2⤵
  PID:876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\de-DE" /grant Administrators:F
  2⤵
  PID:2368
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\en-US" /a
  2⤵
  PID:2000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\en-US" /grant Administrators:F
  2⤵
  PID:2496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\es-ES" /a
  2⤵
  PID:1704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\es-ES" /grant Administrators:F
  2⤵
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\fr-FR" /a
  2⤵
  PID:692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\fr-FR" /grant Administrators:F
  2⤵
  PID:2536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\it-IT" /a
  2⤵
  PID:2612
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\it-IT" /grant Administrators:F
  2⤵
  PID:2656
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\ja-JP" /a
  2⤵
  PID:1468
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\ja-JP" /grant Administrators:F
  2⤵
  PID:332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell" /a
  2⤵
  PID:2868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell" /grant Administrators:F
  2⤵
  PID:2328
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe" /a
  2⤵
  PID:204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe" /grant Administrators:F
  2⤵
  PID:1648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\de-DE" /a
  2⤵
  PID:2152
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\de-DE" /grant Administrators:F
  2⤵
  PID:1396
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\en-US" /a
  2⤵
  PID:2036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\en-US" /grant Administrators:F
  2⤵
  PID:2568
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\es-ES" /a
  2⤵
  PID:212
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\es-ES" /grant Administrators:F
  2⤵
  PID:644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\fr-FR" /a
  2⤵
  PID:2800
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\fr-FR" /grant Administrators:F
  2⤵
  PID:1232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\it-IT" /a
  2⤵
  PID:952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\it-IT" /grant Administrators:F
  2⤵
  PID:1692
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\ja-JP" /a
  2⤵
  PID:1460
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\ja-JP" /grant Administrators:F
  2⤵
  PID:2092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts" /a
  2⤵
  PID:2188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts" /grant Administrators:F
  2⤵
  PID:2948
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\Hearts.exe" /a
  2⤵
  PID:1888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\Hearts.exe" /grant Administrators:F
  2⤵
  PID:1656
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\de-DE" /a
  2⤵
  PID:2076
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\de-DE" /grant Administrators:F
  2⤵
  PID:1552
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\en-US" /a
  2⤵
  PID:756
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\en-US" /grant Administrators:F
  2⤵
  PID:1980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\es-ES" /a
  2⤵
  PID:2972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\es-ES" /grant Administrators:F
  2⤵
  PID:1512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\fr-FR" /a
  2⤵
  PID:1216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2079209307-68796204473128317217840311332118289709775115278316982791-944969288"
1⤵
PID:1424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1057068199198919260374205482762000258-12291030974075651121610289178-855506335"
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-859917874-1106310746-10489174718852343611180925555-774350303216189230-1431522188"
1⤵
PID:2868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "247994186-354179688-1984392957607599924-569816183-1020987257-165015803-1258370024"
1⤵
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1506918238448901226-10725913122100519870835013896-16724686149393728661237020314"
1⤵
PID:608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2079744833790847670-366953971-1111445809-1272553080140943352937529264936818851"
1⤵
PID:448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-158651789219164612641345165042-111420121-808282193-1349579317-809239211-167626142"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "22247988118121321431285761611220191591281325795-852252345445392881821594363"
1⤵
PID:1476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "146652647-1286040013-1185198211-1015743114-1295018336-14828941921157000422288841697"
1⤵
PID:3016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "123118474-509818090-1079625493-1110834650-131465760433493493216032182801341653546"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1770576109-569952414-286549936-1742363437-449666280-1754150009-1162904570-1362431491"
1⤵
PID:2564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "44935298-9840449461883193053-1595283929-127458173859209140-27557094768996240"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-90302852-205299036261426058010569988721469259800629336011-455544868-135351694"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13104159892004737989198797172689214282116159393691474349102167900832-580509448"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "81516236411892251612256956615741995361995341595-533731007-12751021892045114619"
1⤵
PID:232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17036667601839870908869570952251843970-16789744351685751231480298152169091529"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1172934290-1198638988-617795787-1751977735-17859450051842820555-1027505861733383850"
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9402559851668576706-485245147-2118051778-17247813611356366930-1974726853-118108351"
1⤵
PID:1020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2083404548-1184003017-386289567145020607810733640821230214330844880635-528591654"
1⤵
PID:2176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14678249131127677268-1663419400398895-22974871446477650-1192818602-1411536558"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1126387705-155780985-359833765706755952-1139570822-1634296018-865203702-766435947"
1⤵
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1662462060979138493733196909-15767924172654931651537488174212122558-1111307295"
1⤵
PID:496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12270627-53836498515477937301953993576-1383287763136492513-1214897100-2093662934"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16417776784687387261785806254-837284030-120545143-455147194-96573631-873146359"
1⤵
PID:484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "638965675-19478572671981275048225617499-274226905-934379658674354931415503312"
1⤵
PID:356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "746135598-936991395-1826552820710229950-241619009-1447495490379522416471827879"
1⤵
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1422605656-1457853257119673709-838961796-1525011843-296424510-617948905-1519334611"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1416124003-638536695558741785-1106569024650707432693179613-6971086891217920170"
1⤵
PID:996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6323006611348094266-10662649822717842291359074833-1205016983779156600880210076"
1⤵
PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1634549526-920929691466162117-13491222241244737351139317035013615715891699042192"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1657461208-1196587051-328262124181569009-491510583-1375531844-405341667-702325405"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4613319510467825521736950302-46948778612383853-238664269573385799-2004012946"
1⤵
PID:1424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1512246509-1466532599-1755098378551606519-879499797-9387833811530708191-1716620816"
1⤵
PID:600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-235819660553768760-7897885731983838852293394961-18952080981883714703899788546"
1⤵
PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1064024793338806552-38584332035586117-196067581-1117919658-245600579-1464539467"
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-815898971-997971666-1514494254-9744740449574231421449979468243906244-1240060327"
1⤵
PID:216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11043728631923864587-39030256515492237691382253287-16315245411879056918965863"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12727401261975112407-393719089-261774927-11883194371330153277271597511920493066"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1546016252717950240-1162525314-1520032167-2042041177-11962259111118664677435122088"
1⤵
PID:1076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1495365471920183774-8661430591351650644-18444325706024617676121575411071790579"
1⤵
PID:3032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7368229131493893113-69185834817423171591714177996-2061698635-351825808-1522260714"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-130150142154718599-526259069642826494105153168623405895-12511578501705070817"
1⤵
PID:2328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1839309816-1078681831-1340162150298623420-1039338943-2004250596545846309-529829908"
1⤵
PID:1408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-513865925-758141980-63549186614381005341765466781-497354120893028447598128622"
1⤵
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16695916141940958534-1445063935168556688617746016301495862399-96879597277271446"
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13918023921563915637-127390094157566402514291029541282585999-20613273681249261564"
1⤵
PID:2292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1102877118-35565359-1619514497-51723934115566400391308561023909609045-2000263963"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-623961045121017922839282710-15025477807110294-1491103560-691331559386231164"
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15194839121898496213178381287720089646613551415971724927544-1655466528940364774"
1⤵
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1006837938-1305247149101038816911385067122104509916-1480420545-958492289-1901254632"
1⤵
PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1716423851-2091393702349753089-19021197388762166096332596421143024585-2041830577"
1⤵
PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3267574161214365579-1393335026-1389890258-1042449761131663968200114609486674306"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8472420-39082523635384296545641562369650156-1998335554967495899-1630824682"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12777072751588051462-11090260412077433428599882537-20791408611069085561-1356135309"
1⤵
PID:1896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17283100501162545781-2107812766584426115-2046127894-982044982-1718436885-873941090"
1⤵
PID:760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-212604852013259910881090015137736552304-20338597281225912700-1810949169-146688339"
1⤵
PID:332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-685657371-3225146911418467611-722404123-2132242693-2092419927-126356693-553918782"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17059272710507503404694682813915284901762084745-1101537138-2119417644668372123"
1⤵
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1185856531162196045-748422121414940547-421262489-1281802011-736533415-1927971406"
1⤵
PID:1448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12015975211988313505-1099702464-9701365431635881611-300656674322518092709857435"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1534653838877698834-199162800-2046092381920607668-833855017-341368498-220007505"
1⤵
PID:3032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9573876041436896984206470165-810600531-12047247771584531889-1131104655-374084103"
1⤵
PID:888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1144408273-567563255649632767-1128093990642951483591712101-21316425252118404339"
1⤵
PID:2444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1684702728-63634642977713355-160745254-1347362725-3786687271501379281394829278"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "66597235015530932231495973706-574602778985665830134231547419341777161994062406"
1⤵
PID:1852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-867953051-1233466079-20262916951945453172815551867-879665424-15571032842134019120"
1⤵
PID:1108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17013892201535510300-1842165170-6209818168709120704156609-299929375-577764073"
1⤵
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1372806900-110686362911399588361446109122-13838017391749814112-18677968881147408418"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-69847232133173906-118847264210337976761039571106901297056-3851376881498535924"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1660318188205409563917107265551290382748-1751098603-1822731588-2141085578-2125470509"
1⤵
PID:928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "459763395-115441340740937333226652851155385439-718664817-2015671780-633350418"
1⤵
PID:212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1106646102-1670612167-786876655262543663831590567-276139311-1962143090-51290735"
1⤵
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1323663577-2126528771-1224594533-1909120194-245589102-608743709214056151517020531"
1⤵
PID:448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11839846542844666551214342381263873509-786782601562913906-1675963772-2004747562"
1⤵
PID:1692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1407826741-888069450-314117824-23574163962111348720413210631904639200-1171985879"
1⤵
PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "265251256-772312741130515919440338649-1824397052-854057316260252913355857991"
1⤵
PID:2864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16214321811488666600-460185253-1990130386-357890847-373117358-2119256647-1986565009"
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1648394948695556756-119067024711903741841569503957-2326558741944328670-1507310695"
1⤵
PID:984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15015621446408154401771214791971486014-1889287820-50743135-6793094361773602739"
1⤵
PID:316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "808137113230534510599287551362658786-332545449-245427610431244504900540658"
1⤵
PID:1488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "409910929951534061940505409-1569581602115073513620340389-18819870931953203640"
1⤵
PID:2776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1441706667-16472474101414706321369706027-2249000781802372193-1970997272-1647672068"
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.exe

Filesize
1.8MB

MD5
3900f7cb45a5720e856190b903e6f300

SHA1
9697bf534890f51723907856be5c74ce4f628454

SHA256
441f91ddf843de9ee590a76163c661f83c47d176938b21991ae9db9a75325e5a

SHA512
3ca10bf6335337acc147b2a7aecd316f9512aa6fc0dd6327c3ba119f3ce8c6586795fd099b91c3b4aee961452ad7e08e73edaae0f9f4dafad666be4fb4259cc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
27e896886340358645e604a4d523d100

SHA1
3c7f1c8ab4bccf63ec94302f05b83893f57eb1d0

SHA256
7f3bc9ea32ee2069e27a029d1d0f00530e71ed9cdd9606136f23ab5eeb26fbd6

SHA512
927b3db4ed62fc0256428d2cbf6e51379be6b00233df70b40ef6e735e9c0b3e027b64190440b3c5173aea93fac9721d27fd2ca07d0c4ba5217ba1ae25b89dd44

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RCX705.tmp

Filesize
360KB

MD5
218e18002822b9a3f9fbb5b609f24a03

SHA1
b50a0f3a9d2faf51278081a35f131035ad3860b6

SHA256
e33aecf0678644129fd44a7711a50ca3e648bd92d2a2d9559145f2d3207e5f4e

SHA512
e619f4a104def71c06e52a2a0b8a23dfddafec3cf7d7205217c38fc3a1d474aa8f7e0dc398d6b9b19a6eb272a092d3ae164e4fe763630994b90425ff6fa5480d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
b3338463452d4c6a7905cd43830aaf19

SHA1
ae5bbd2efbef7a7c88575d41249f4aad0883af13

SHA256
57901f4c356a1053a6a2fd51248ff1fc79133ca95e967141d724f8e155f84fc4

SHA512
23a28484152df1dc59bb63bfb96a0efa636faeda4a22ade9fa98a917581f987319dbfabedc96607832ca4c35e4e6243eeda699b6fb89e1a72575478539e6c724

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\msvcp120ex.dll

Filesize
8.0MB

MD5
d5a50cfd9b09cea2221b9165684f8968

SHA1
3006ed5e55789f7715782a8fb57ea5cdd3c64e85

SHA256
845c3f41e7660239a75b387afe8414c615d912f56b0907d656b6c1f0306b554d

SHA512
4e18ccd62a49ac49b070ef03f8b2daf262b9d20b63e2f80ddae0e911bf43dbb69a75a5852f87406236b1f093d76c7bf28c9d8260cffa8b6274ba2c447b631af7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
c1aeb1b7e4c8a16aa94b6bc3f5bcfbe6

SHA1
358f355fc6804769e72e7472ad827b236dd42137

SHA256
7ddae14a1ca5f196c9956041bea1abe4a12b33e1d41edcf793c3ff90fae37f59

SHA512
332f1567dc0dfae6288ef535c95191e0abad2ef14c9c3399512e6f0d55dd4c728e9d2892bf36e23f32ab16708773f3c8c439e0109e68bad5cd4d83dea57d2184

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
b340c894bb6b8b0df829e3290b890a28

SHA1
c15cdce06cdca5a5432513a849b6129ce5a9dee4

SHA256
a57207acec48daee1b81e33cf5e028900e78dd7396b80cd60865c910b5d2ede6

SHA512
016d7ac9d14a88b889067e2c69ac0cda7412bc4d0e8148bc238440bce89d6e2252f779dbf0ae9d4750802fcfd45936cb8037ecdc10042f5d051945204545f702

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
e7020e70d7076429f6e86f1666661b6d

SHA1
39a349b9d8161c2c1be9cc7c6b29d709135465c8

SHA256
fc5d82a054c8df8bb1243cead7bf762f034e8c0d63a94876f4584710cc2b9748

SHA512
b2ab9084d2f8e549e3e1c124fbc0aedfd35c6fad2672dd87100e660e6047aaeb2ec9d77542b786ca86988d1aceac0b3e5d735c2a9b4a2fed71f513a232704494

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\msvcp120ex.dll

Filesize
8.0MB

MD5
930e5afb18586a084cbaf710122d1b08

SHA1
765684823003a3e75a8e73dd2089c18bb7ce256f

SHA256
aad461b7b2db24c1449cce475bda20c0698d4cda855eb229f1a1e816e18c5af3

SHA512
7d04eac6afb36b535f290e2be89607aeb7f5e41e32137347bd10598ce3d9160c01dd430cf1703151e060a2c2b58e6bf24f6f316e80595d4cbedd3f39122400d3

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\543874868

Filesize
420KB

MD5
1910d3503a74274db73b107540f9da5e

SHA1
f2d907a7121e5cc21bacf24187f7fed7113d94e6

SHA256
d7bb323a8416ebb44bbc74e0b3ea4b17bf788ec39d2f57b850b657a356fc0b73

SHA512
da2efe0debc27871cda851380d5287ab7434ba486a532af5e90dcc7950b7cec24430de757c98ed8d7ba6850bd6ebc870d5dbdc2ac8e47d4808fda5e56ae41d28

Download Submit
C:\Program Files (x86)\Google\Update\RCX2BCD.tmp

Filesize
60KB

MD5
422d954e544f8023c83b70ad479bb093

SHA1
a73a997477c45fd9f7bea39bcffaf997a282276b

SHA256
3d3b5eba79d784945866d18b04827c61ba5268a4e6cce1776e4c3d4140e1d67a

SHA512
cd3f8056b71f63c84f3b0a9e68a5af36444fff30307797af5bebe9f934c0bee63407d87f75d97ac214e372d7aac993b948d4174bb8da49366dae80f68943e6ba

Download Submit
C:\Program Files\DVD Maker\13890929

Filesize
2.3MB

MD5
b2672bb8f1bc96861d4763544eadc5fd

SHA1
f09c96e01977e12e76b808d2322e1daa7d17d361

SHA256
63d5e27d3e2c92a561155c9709d8a83f7fd8f37fb8d3c9eba17405f7979f1554

SHA512
16c9c3dbfd11d71c24f1fb3adef121caf8df7ddfb7310befd0404d940abecb9665f00b4aee7764929b4a770ffec4abffd8cc41e3c8620c116f0d9f23027463cc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\356266666

Filesize
4.3MB

MD5
c0518cef4fca5b87c5eb5bbd8014557c

SHA1
00737eb62d3702142f6b614b5413be4dc950d950

SHA256
277fcb370cdd6c8b853aac0e3a32bb0ee4272ddc14baafd76a973740aa10981f

SHA512
4097229d7d2d5844cb2b4ac316ac395abff31fc2ad19e3c0650e41347d37ca178cd07a4f0a9d44f7c2aa1edb22119b90a82e5be5c7ebe75c3c3db3178e0daf86

Download Submit
C:\Program Files\Microsoft Games\FreeCell\799812007

Filesize
881KB

MD5
38758b6434bb96639f79be463440073f

SHA1
c55a5de9b002f4d54f2e948751f3c925e30c7082

SHA256
0a7063f017eba4096a714527e40f97dcce50e7ec0c8da28435b8f80663074dc6

SHA512
4ec0bef43c01846693cdf131560f2dd103aeb89a27770993bbe096c39441db9ad8e325e92ddd1bb079f2bd0e93ab07d6041b050eeeb2141f134b21a5e551c3b7

Download Submit
C:\Program Files\Mozilla Firefox\uninstall\24735810

Filesize
1.3MB

MD5
b5f78ab86d4e7e2d3e9f5d4701e66381

SHA1
3ff1401470befdbc0635d3848ba9f16f94012319

SHA256
4f0a5e31cea074f5ebbd902a665f3effa5e908aafa551c3fc1599cc2bf641389

SHA512
b71979c9ae0462d2f78ec3ec9d53e8901e6396c651581ae5c3dcf64d29ecdfaec46ca7caa1fe4dd5863b29b57795fda178bf73e5da433b6e5f3a36def638d558

Download Submit
C:\Users\Admin\AppData\Local\Temp\444627239

Filesize
307KB

MD5
f1a9b4b1f750bb90b7240f38aa3fd939

SHA1
4d630bd6b89f4ba0315ed37035d5e32775a7b969

SHA256
7cc9be747a138d8b9e716ee5f16188215b730af91d9fe954d8e172f515f5b498

SHA512
e4d6eea0e415d27f39224af29cef84bd55fb098b06c7aaee38d6eac34621ca3585bbae0d2fc2938bbe5755fd6d3bbbf47f9c4bc29a6e6914f761c1c76e4a107f

Download Submit
C:\Users\Admin\AppData\Local\Temp\freya_jkt48.log

Filesize
4KB

MD5
7df14f970f590c0b23bb134d888278bc

SHA1
2ee7658c0066f70f196ffd38683a0e948f128ace

SHA256
f578d34366cc6c7ed83aa3da2d4e086348ef87c7f6584180a2db0a07cf417c1e

SHA512
c1ea6e6f4be80c8fd9745bdc99022b4966ed74487cb11a3f10d4c4f9c5cf711062a2470f192e0a2e73b653497bfaee75f74ecbcbf97e6f3e205a61d45ea975fc

Download Submit
C:\Windows\System32\msconfig.exe

Filesize
57KB

MD5
cf45949cdbb39c953331cdcb9cec20f8

SHA1
6756f752141602424af234433dadedc12520165d

SHA256
34df739526c114bb89470b3b650946cbf7335cb4a2206489534fb05c1fc143a8

SHA512
b699b406bb4df8c6fb6339219ab1feaa5c7b2c39082d3761689e9b5326e52861bb8e2770d683838b05e649ff2022f413dc1e3f7e605a03077190f8950f9442be

Download Submit
memory/2644-0-0x000007FEF6453000-0x000007FEF6454000-memory.dmp

Filesize
4KB

Download
memory/2644-401-0x000000001ABE0000-0x000000001AC40000-memory.dmp

Filesize
384KB

Download
memory/2644-338-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-330-0x000007FEF6453000-0x000007FEF6454000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000000180000-0x0000000000992000-memory.dmp

Filesize
8.1MB

Download
memory/2644-2-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download