Resubmissions
28/03/2025, 14:59
250328-sc4wsazjx2 1028/03/2025, 14:53
250328-r9rr2sxwbz 1027/03/2025, 13:35
250327-qvr9laswew 10Analysis
-
max time kernel
56s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2025, 13:35
Static task
static1
Behavioral task
behavioral1
Sample
JKT48.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JKT48.exe
Resource
win10v2004-20250314-en
General
-
Target
JKT48.exe
-
Size
8.0MB
-
MD5
41f5bac802f5e79dc2ca7a3db25d0001
-
SHA1
ce56c42cadd2db13edf03c15ce3b11c2cfa00f9e
-
SHA256
9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d
-
SHA512
94705e83ce1b104954be07210ea3648c7403a6dd86ebaf6e884ced1552636b6a05a3b2926415d6c49ff251a675815435e4b2a3c8f816bbbf68c08c3299db99ab
-
SSDEEP
196608:PF35AX/ip4e/aS3e+gr80KILDjhoOX9oeqZ8r8swzH0e:d3KX/o4eSTr80xHhJ8s63
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" JKT48.exe -
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JKT48.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JKT48.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 32 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe\Debugger = "*/" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe -
Possible privilege escalation attempt 64 IoCs
pid Process 3684 Process not Found 3184 takeown.exe 3412 icacls.exe 2408 takeown.exe 3972 Process not Found 6140 Process not Found 6012 Process not Found 4816 Process not Found 5880 Process not Found 2376 icacls.exe 5172 Process not Found 5752 Process not Found 764 Process not Found 5636 icacls.exe 956 takeown.exe 5736 Process not Found 6112 icacls.exe 5264 takeown.exe 5460 Process not Found 5132 Process not Found 5808 Process not Found 5676 Process not Found 644 icacls.exe 296 takeown.exe 3168 takeown.exe 5808 Process not Found 2884 icacls.exe 5936 Process not Found 3296 Process not Found 4368 takeown.exe 4512 takeown.exe 5532 Process not Found 1708 takeown.exe 2172 icacls.exe 5772 icacls.exe 5316 Process not Found 1548 Process not Found 4388 takeown.exe 5136 Process not Found 5024 icacls.exe 5388 Process not Found 6036 Process not Found 3904 Process not Found 1736 icacls.exe 1804 icacls.exe 5000 takeown.exe 4888 icacls.exe 3840 icacls.exe 5236 Process not Found 5460 Process not Found 4352 Process not Found 2112 takeown.exe 2376 icacls.exe 5768 Process not Found 232 Process not Found 4472 Process not Found 4308 icacls.exe 3028 icacls.exe 1756 Process not Found 6140 Process not Found 6124 Process not Found 3456 Process not Found 2880 takeown.exe 2904 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation JKT48.exe -
Loads dropped DLL 1 IoCs
pid Process 4476 Process not Found -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 4508 takeown.exe 1112 icacls.exe 4676 takeown.exe 5664 Process not Found 3620 Process not Found 1756 Process not Found 5984 Process not Found 1256 takeown.exe 5664 Process not Found 1900 Process not Found 2928 takeown.exe 3008 icacls.exe 3944 takeown.exe 5220 Process not Found 3784 icacls.exe 1900 Process not Found 4116 takeown.exe 4808 icacls.exe 300 takeown.exe 5428 Process not Found 5380 Process not Found 5832 Process not Found 1492 takeown.exe 956 icacls.exe 5448 takeown.exe 4480 Process not Found 3120 Process not Found 5232 Process not Found 2484 icacls.exe 3788 Process not Found 6100 Process not Found 3784 icacls.exe 1628 icacls.exe 3856 Process not Found 5424 Process not Found 3116 icacls.exe 5980 icacls.exe 5440 Process not Found 5400 Process not Found 6024 Process not Found 1900 Process not Found 5916 Process not Found 5676 Process not Found 1980 icacls.exe 5820 Process not Found 5740 Process not Found 6004 Process not Found 5392 Process not Found 6116 Process not Found 1496 Process not Found 3760 icacls.exe 1372 icacls.exe 5476 Process not Found 4432 Process not Found 5292 Process not Found 5108 icacls.exe 2864 icacls.exe 3972 Process not Found 6132 Process not Found 3964 icacls.exe 1040 icacls.exe 3388 icacls.exe 5836 Process not Found 1916 Process not Found -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JKT48.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File created C:\windows\system32\perfmon.exe JKT48.exe File created C:\windows\system32\resmon.exe JKT48.exe File created C:\windows\system32\rstrui.exe JKT48.exe File created C:\windows\system32\winload.exe JKT48.exe File created C:\windows\syswow64\cmd.exe JKT48.exe File created C:\windows\syswow64\taskmgr.exe JKT48.exe File created C:\windows\system32\logonui.exe JKT48.exe File created C:\windows\syswow64\reg.exe JKT48.exe File created C:\windows\syswow64\sethc.exe JKT48.exe File created C:\windows\syswow64\sfc.exe JKT48.exe File created C:\windows\system32\hal.dll JKT48.exe File created C:\windows\syswow64\regedit.exe JKT48.exe File created C:\windows\syswow64\taskkill.exe JKT48.exe File created C:\windows\syswow64\rundll32.exe JKT48.exe File created C:\windows\system32\taskmgr.exe JKT48.exe File created C:\windows\syswow64\perfmon.exe JKT48.exe File created C:\windows\syswow64\perfmon.msc JKT48.exe File created C:\windows\system32\reg.exe JKT48.exe File created C:\windows\system32\rundll32.exe JKT48.exe File created C:\windows\syswow64\utilman.exe JKT48.exe File created C:\windows\syswow64\resmon.exe JKT48.exe File created C:\windows\system32\utilman.exe JKT48.exe File created C:\windows\system32\sethc.exe JKT48.exe File created C:\windows\system32\perfmon.msc JKT48.exe File created C:\windows\system32\msconfig.exe JKT48.exe File created C:\windows\system32\taskkill.exe JKT48.exe File created C:\windows\system32\ntoskrnl.exe JKT48.exe File created C:\windows\system32\sfc.exe JKT48.exe File created C:\windows\system32\cmd.exe JKT48.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\422291703 JKT48.exe File created C:\Program Files\Java\jdk-1.8\bin\msvcp120ex.dll JKT48.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msvcp120ex.dll JKT48.exe File created C:\Program Files\Google\Chrome\Application\msvcp120ex.dll JKT48.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\RCX138F.tmp JKT48.exe File opened for modification C:\Program Files\7-Zip\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\681585162 JKT48.exe File opened for modification C:\Program Files\dotnet\49945062 JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msvcp120ex.dll JKT48.exe File created C:\Program Files\dotnet\49945062 JKT48.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\RCX972F.tmp JKT48.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\msvcp120ex.dll JKT48.exe File created C:\Program Files\Microsoft Office\root\Integration\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\RCX9CA0.tmp JKT48.exe File created C:\Program Files\Microsoft Office\Office16\msvcp120ex.dll JKT48.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\msvcp120ex.dll JKT48.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\RCXD586.tmp JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\RCXDA7C.tmp JKT48.exe File opened for modification C:\Program Files\Internet Explorer\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\RCX9740.tmp JKT48.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\RCXD587.tmp JKT48.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\msvcp120ex.dll JKT48.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\681585162 JKT48.exe File opened for modification C:\Program Files\dotnet\RCXB7DA.tmp JKT48.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\422291703 JKT48.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\msvcp120ex.dll JKT48.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp120ex.dll JKT48.exe File created C:\Program Files\Microsoft Office\root\Integration\Addons\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\691216923 JKT48.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\msvcp120ex.dll JKT48.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\159254014 JKT48.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\RCX9CB0.tmp JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\RCXD78C.tmp JKT48.exe File created C:\Program Files\Java\jre-1.8\bin\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\dotnet\RCXB7DB.tmp JKT48.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msvcp120ex.dll JKT48.exe File created C:\Program Files\Internet Explorer\msvcp120ex.dll JKT48.exe File created C:\Program Files\Microsoft Office\root\Office16\65523778 JKT48.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\RCX1E9E.tmp JKT48.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\RCX1390.tmp JKT48.exe File opened for modification C:\Program Files\dotnet\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\msvcp120ex.dll JKT48.exe File created C:\Program Files\Microsoft Office\root\Office16\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\317354143 JKT48.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\691216923 JKT48.exe File opened for modification C:\Program Files\Microsoft Office\Office16\msvcp120ex.dll JKT48.exe File created C:\Program Files\Microsoft Office\root\Integration\Addons\420603874 JKT48.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\windows\regedit.exe JKT48.exe File created C:\windows\servicing\trustedinstaller.exe JKT48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2000 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3604 JKT48.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3604 JKT48.exe Token: SeDebugPrivilege 3604 JKT48.exe Token: SeIncBasePriorityPrivilege 3604 JKT48.exe Token: SeTakeOwnershipPrivilege 1924 takeown.exe Token: SeTakeOwnershipPrivilege 2864 takeown.exe Token: SeTakeOwnershipPrivilege 3492 takeown.exe Token: SeTakeOwnershipPrivilege 4116 takeown.exe Token: SeTakeOwnershipPrivilege 1708 takeown.exe Token: SeTakeOwnershipPrivilege 3816 takeown.exe Token: SeTakeOwnershipPrivilege 2832 takeown.exe Token: SeTakeOwnershipPrivilege 4140 takeown.exe Token: SeTakeOwnershipPrivilege 3472 takeown.exe Token: SeTakeOwnershipPrivilege 4664 takeown.exe Token: SeTakeOwnershipPrivilege 776 takeown.exe Token: SeTakeOwnershipPrivilege 3296 takeown.exe Token: SeTakeOwnershipPrivilege 4308 takeown.exe Token: SeTakeOwnershipPrivilege 1780 takeown.exe Token: SeTakeOwnershipPrivilege 3180 takeown.exe Token: SeTakeOwnershipPrivilege 5084 takeown.exe Token: SeTakeOwnershipPrivilege 1108 takeown.exe Token: SeTakeOwnershipPrivilege 5012 takeown.exe Token: SeTakeOwnershipPrivilege 3520 takeown.exe Token: SeTakeOwnershipPrivilege 3300 takeown.exe Token: SeTakeOwnershipPrivilege 4464 takeown.exe Token: SeTakeOwnershipPrivilege 1220 takeown.exe Token: SeTakeOwnershipPrivilege 4320 takeown.exe Token: SeTakeOwnershipPrivilege 4076 takeown.exe Token: SeTakeOwnershipPrivilege 1328 takeown.exe Token: SeTakeOwnershipPrivilege 4964 takeown.exe Token: SeTakeOwnershipPrivilege 4744 takeown.exe Token: SeTakeOwnershipPrivilege 5108 takeown.exe Token: SeTakeOwnershipPrivilege 112 takeown.exe Token: SeTakeOwnershipPrivilege 2112 takeown.exe Token: SeTakeOwnershipPrivilege 1712 takeown.exe Token: SeTakeOwnershipPrivilege 508 takeown.exe Token: SeTakeOwnershipPrivilege 3884 takeown.exe Token: SeTakeOwnershipPrivilege 4444 takeown.exe Token: SeTakeOwnershipPrivilege 2708 takeown.exe Token: SeTakeOwnershipPrivilege 2108 takeown.exe Token: SeTakeOwnershipPrivilege 872 takeown.exe Token: SeTakeOwnershipPrivilege 3296 takeown.exe Token: SeTakeOwnershipPrivilege 3716 takeown.exe Token: SeTakeOwnershipPrivilege 4740 takeown.exe Token: SeTakeOwnershipPrivilege 2216 takeown.exe Token: SeTakeOwnershipPrivilege 2384 takeown.exe Token: SeTakeOwnershipPrivilege 1112 takeown.exe Token: SeTakeOwnershipPrivilege 3164 takeown.exe Token: SeTakeOwnershipPrivilege 1716 takeown.exe Token: SeTakeOwnershipPrivilege 1140 takeown.exe Token: SeTakeOwnershipPrivilege 4076 takeown.exe Token: SeTakeOwnershipPrivilege 2764 takeown.exe Token: SeTakeOwnershipPrivilege 4452 takeown.exe Token: SeTakeOwnershipPrivilege 3184 takeown.exe Token: SeTakeOwnershipPrivilege 2884 takeown.exe Token: SeTakeOwnershipPrivilege 3784 takeown.exe Token: SeTakeOwnershipPrivilege 4116 takeown.exe Token: SeTakeOwnershipPrivilege 4888 takeown.exe Token: SeTakeOwnershipPrivilege 4540 takeown.exe Token: SeTakeOwnershipPrivilege 4084 takeown.exe Token: SeTakeOwnershipPrivilege 4900 takeown.exe Token: SeTakeOwnershipPrivilege 100 takeown.exe Token: SeTakeOwnershipPrivilege 4508 takeown.exe Token: SeTakeOwnershipPrivilege 2764 takeown.exe Token: SeTakeOwnershipPrivilege 4388 takeown.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe 3604 JKT48.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3604 wrote to memory of 400 3604 JKT48.exe 87 PID 3604 wrote to memory of 400 3604 JKT48.exe 87 PID 3604 wrote to memory of 8 3604 JKT48.exe 89 PID 3604 wrote to memory of 8 3604 JKT48.exe 89 PID 3604 wrote to memory of 4736 3604 JKT48.exe 91 PID 3604 wrote to memory of 4736 3604 JKT48.exe 91 PID 3604 wrote to memory of 1780 3604 JKT48.exe 93 PID 3604 wrote to memory of 1780 3604 JKT48.exe 93 PID 3604 wrote to memory of 724 3604 JKT48.exe 95 PID 3604 wrote to memory of 724 3604 JKT48.exe 95 PID 3604 wrote to memory of 2112 3604 JKT48.exe 97 PID 3604 wrote to memory of 2112 3604 JKT48.exe 97 PID 3604 wrote to memory of 4176 3604 JKT48.exe 99 PID 3604 wrote to memory of 4176 3604 JKT48.exe 99 PID 3604 wrote to memory of 1924 3604 JKT48.exe 101 PID 3604 wrote to memory of 1924 3604 JKT48.exe 101 PID 3604 wrote to memory of 1668 3604 JKT48.exe 103 PID 3604 wrote to memory of 1668 3604 JKT48.exe 103 PID 3604 wrote to memory of 4820 3604 JKT48.exe 105 PID 3604 wrote to memory of 4820 3604 JKT48.exe 105 PID 3604 wrote to memory of 3048 3604 JKT48.exe 107 PID 3604 wrote to memory of 3048 3604 JKT48.exe 107 PID 3604 wrote to memory of 3972 3604 JKT48.exe 110 PID 3604 wrote to memory of 3972 3604 JKT48.exe 110 PID 3604 wrote to memory of 4132 3604 JKT48.exe 112 PID 3604 wrote to memory of 4132 3604 JKT48.exe 112 PID 3604 wrote to memory of 648 3604 JKT48.exe 115 PID 3604 wrote to memory of 648 3604 JKT48.exe 115 PID 3604 wrote to memory of 2864 3604 JKT48.exe 117 PID 3604 wrote to memory of 2864 3604 JKT48.exe 117 PID 3604 wrote to memory of 1948 3604 JKT48.exe 119 PID 3604 wrote to memory of 1948 3604 JKT48.exe 119 PID 3604 wrote to memory of 3492 3604 JKT48.exe 121 PID 3604 wrote to memory of 3492 3604 JKT48.exe 121 PID 3604 wrote to memory of 3420 3604 JKT48.exe 123 PID 3604 wrote to memory of 3420 3604 JKT48.exe 123 PID 3604 wrote to memory of 4116 3604 JKT48.exe 125 PID 3604 wrote to memory of 4116 3604 JKT48.exe 125 PID 3604 wrote to memory of 4320 3604 JKT48.exe 127 PID 3604 wrote to memory of 4320 3604 JKT48.exe 127 PID 3604 wrote to memory of 1708 3604 JKT48.exe 131 PID 3604 wrote to memory of 1708 3604 JKT48.exe 131 PID 3604 wrote to memory of 3456 3604 JKT48.exe 133 PID 3604 wrote to memory of 3456 3604 JKT48.exe 133 PID 3604 wrote to memory of 100 3604 JKT48.exe 135 PID 3604 wrote to memory of 100 3604 JKT48.exe 135 PID 3604 wrote to memory of 3816 3604 JKT48.exe 137 PID 3604 wrote to memory of 3816 3604 JKT48.exe 137 PID 3604 wrote to memory of 4924 3604 JKT48.exe 139 PID 3604 wrote to memory of 4924 3604 JKT48.exe 139 PID 3604 wrote to memory of 5048 3604 JKT48.exe 141 PID 3604 wrote to memory of 5048 3604 JKT48.exe 141 PID 3604 wrote to memory of 3192 3604 JKT48.exe 143 PID 3604 wrote to memory of 3192 3604 JKT48.exe 143 PID 3604 wrote to memory of 1400 3604 JKT48.exe 145 PID 3604 wrote to memory of 1400 3604 JKT48.exe 145 PID 3604 wrote to memory of 4972 3604 JKT48.exe 147 PID 3604 wrote to memory of 4972 3604 JKT48.exe 147 PID 3604 wrote to memory of 2588 3604 JKT48.exe 149 PID 3604 wrote to memory of 2588 3604 JKT48.exe 149 PID 3604 wrote to memory of 2832 3604 JKT48.exe 152 PID 3604 wrote to memory of 2832 3604 JKT48.exe 152 PID 3604 wrote to memory of 2248 3604 JKT48.exe 154 PID 3604 wrote to memory of 2248 3604 JKT48.exe 154 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JKT48.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JKT48.exe"C:\Users\Admin\AppData\Local\Temp\JKT48.exe"1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3604 -
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin" /a2⤵PID:400
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\$Recycle.Bin" /grant Administrators:F2⤵PID:8
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin\S-1-5-21-83325578-304917428-1200496059-1000" /a2⤵PID:4736
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\$Recycle.Bin\S-1-5-21-83325578-304917428-1200496059-1000" /grant Administrators:F2⤵PID:1780
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\9067c5701a2f6bcc5b" /a2⤵PID:724
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\9067c5701a2f6bcc5b" /grant Administrators:F2⤵PID:2112
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\95a9da8d6083c53f11d88fcfaf8c" /a2⤵PID:4176
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\cmd.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\95a9da8d6083c53f11d88fcfaf8c" /grant Administrators:F2⤵PID:1668
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\cmd.exe" /grant Administrators:F2⤵PID:4820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Documents and Settings" /a2⤵PID:3048
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Documents and Settings" /grant Administrators:F2⤵PID:3972
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\PerfLogs" /a2⤵PID:4132
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\PerfLogs" /grant Administrators:F2⤵PID:648
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files" /grant Administrators:F2⤵PID:1948
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\regedit.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\regedit.exe" /grant Administrators:F2⤵PID:3420
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\reg.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\reg.exe" /grant Administrators:F2⤵PID:4320
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskmgr.exe" /a2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\taskmgr.exe" /grant Administrators:F2⤵PID:3456
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip" /a2⤵PID:100
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\msconfig.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip" /grant Administrators:F2⤵PID:4924
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\msconfig.exe" /grant Administrators:F2⤵PID:5048
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\7z.exe" /a2⤵PID:3192
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\7z.exe" /grant Administrators:F2⤵PID:1400
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\Lang" /a2⤵PID:4972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\Lang" /grant Administrators:F2⤵PID:2588
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files" /grant Administrators:F2⤵PID:2248
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\utilman.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\DESIGNER" /a2⤵PID:4372
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\utilman.exe" /grant Administrators:F2⤵PID:4368
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\DESIGNER" /grant Administrators:F2⤵PID:1680
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared" /grant Administrators:F2⤵PID:2648
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ClickToRun" /a2⤵PID:4692
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\sethc.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ClickToRun" /grant Administrators:F2⤵PID:4116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\sethc.exe" /grant Administrators:F2⤵PID:4320
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe" /a2⤵PID:2348
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe" /grant Administrators:F2⤵PID:4272
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink" /grant Administrators:F2⤵PID:4012
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe" /grant Administrators:F2⤵PID:5000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.exe" /grant Administrators:F2⤵PID:3116
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ar-SA" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ar-SA" /grant Administrators:F2⤵PID:1984
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\bg-BG" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\bg-BG" /grant Administrators:F2⤵
- Modifies file permissions
PID:5108
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ" /grant Administrators:F2⤵PID:512
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\da-DK" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\da-DK" /grant Administrators:F2⤵PID:3904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.msc" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\de-DE" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.msc" /grant Administrators:F2⤵
- Modifies file permissions
PID:2864
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\de-DE" /grant Administrators:F2⤵PID:4176
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\el-GR" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\el-GR" /grant Administrators:F2⤵PID:4572
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\en-GB" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\en-GB" /grant Administrators:F2⤵PID:4800
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\en-US" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\resmon.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\en-US" /grant Administrators:F2⤵PID:1420
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\resmon.exe" /grant Administrators:F2⤵PID:2376
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\es-ES" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\es-ES" /grant Administrators:F2⤵PID:3684
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\es-MX" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\es-MX" /grant Administrators:F2⤵PID:4308
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\et-EE" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\et-EE" /grant Administrators:F2⤵PID:1016
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\logonui.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fi-FI" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\logonui.exe" /grant Administrators:F2⤵PID:2592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fi-FI" /grant Administrators:F2⤵PID:3904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fr-CA" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fr-CA" /grant Administrators:F2⤵PID:3808
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fr-FR" /a2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fr-FR" /grant Administrators:F2⤵PID:452
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions" /grant Administrators:F2⤵PID:4928
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskkill.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:508
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\taskkill.exe" /grant Administrators:F2⤵PID:2100
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad" /grant Administrators:F2⤵PID:3288
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert" /grant Administrators:F2⤵PID:4044
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad" /grant Administrators:F2⤵PID:4572
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main" /grant Administrators:F2⤵PID:3784
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\rundll32.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\rundll32.exe" /grant Administrators:F2⤵PID:4520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui" /grant Administrators:F2⤵PID:4748
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu" /grant Administrators:F2⤵PID:2308
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav" /grant Administrators:F2⤵PID:4132
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\rstrui.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad" /grant Administrators:F2⤵PID:1080
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\rstrui.exe" /grant Administrators:F2⤵PID:3640
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred" /grant Administrators:F2⤵PID:2176
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols" /grant Administrators:F2⤵PID:400
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\he-IL" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\he-IL" /grant Administrators:F2⤵PID:4628
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\hr-HR" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\sfc.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\hr-HR" /grant Administrators:F2⤵PID:3192
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\sfc.exe" /grant Administrators:F2⤵PID:4120
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\hu-HU" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\hu-HU" /grant Administrators:F2⤵PID:1328
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization" /grant Administrators:F2⤵PID:2260
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\it-IT" /a2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\it-IT" /grant Administrators:F2⤵PID:2684
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ja-JP" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ja-JP" /grant Administrators:F2⤵PID:5020
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\winload.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ko-KR" /a2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\winload.exe" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:644
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ko-KR" /grant Administrators:F2⤵PID:3960
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel" /grant Administrators:F2⤵PID:112
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\lt-LT" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\lt-LT" /grant Administrators:F2⤵PID:1260
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\lv-LV" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\ntoskrnl.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\lv-LV" /grant Administrators:F2⤵PID:1716
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\ntoskrnl.exe" /grant Administrators:F2⤵PID:4444
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\nb-NO" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:100
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\nb-NO" /grant Administrators:F2⤵PID:4464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\nl-NL" /a2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\nl-NL" /grant Administrators:F2⤵PID:4372
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pl-PL" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pl-PL" /grant Administrators:F2⤵PID:532
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\hal.dll" /a2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pt-BR" /a2⤵PID:3596
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\hal.dll" /grant Administrators:F2⤵PID:4476
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pt-BR" /grant Administrators:F2⤵PID:2544
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pt-PT" /a2⤵PID:3656
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pt-PT" /grant Administrators:F2⤵PID:3048
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ro-RO" /a2⤵PID:4132
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ro-RO" /grant Administrators:F2⤵PID:4732
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ru-RU" /a2⤵PID:732
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\servicing\trustedinstaller.exe" /a2⤵PID:3372
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ru-RU" /grant Administrators:F2⤵PID:2484
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\servicing\trustedinstaller.exe" /grant Administrators:F2⤵PID:2220
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sk-SK" /a2⤵PID:5016
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sk-SK" /grant Administrators:F2⤵PID:508
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sl-SI" /a2⤵PID:4920
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sl-SI" /grant Administrators:F2⤵PID:400
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS" /a2⤵PID:5048
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS" /grant Administrators:F2⤵PID:3316
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sv-SE" /a2⤵PID:2388
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\cmd.exe" /a2⤵PID:3760
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sv-SE" /grant Administrators:F2⤵PID:2592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\cmd.exe" /grant Administrators:F2⤵PID:4144
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\th-TH" /a2⤵PID:3324
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\th-TH" /grant Administrators:F2⤵
- Modifies file permissions
PID:1980
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\tr-TR" /a2⤵PID:2464
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\tr-TR" /grant Administrators:F2⤵PID:2252
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\uk-UA" /a2⤵PID:4524
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\uk-UA" /grant Administrators:F2⤵PID:3184
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\zh-CN" /a2⤵PID:3420
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\regedit.exe" /a2⤵PID:2708
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\zh-CN" /grant Administrators:F2⤵PID:4960
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\regedit.exe" /grant Administrators:F2⤵PID:4908
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\zh-TW" /a2⤵PID:3676
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\zh-TW" /grant Administrators:F2⤵PID:1732
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo" /a2⤵PID:1912
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo" /grant Administrators:F2⤵PID:2812
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" /a2⤵PID:1372
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" /grant Administrators:F2⤵PID:4736
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\reg.exe" /a2⤵PID:2484
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE" /a2⤵PID:116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\reg.exe" /grant Administrators:F2⤵PID:1196
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE" /grant Administrators:F2⤵PID:2864
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US" /a2⤵PID:644
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US" /grant Administrators:F2⤵PID:4900
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES" /a2⤵
- Possible privilege escalation attempt
PID:2880
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES" /grant Administrators:F2⤵PID:3820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR" /a2⤵PID:224
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR" /grant Administrators:F2⤵PID:2872
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskmgr.exe" /a2⤵
- Possible privilege escalation attempt
PID:2904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT" /a2⤵PID:3972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskmgr.exe" /grant Administrators:F2⤵PID:4572
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT" /grant Administrators:F2⤵PID:2000
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP" /a2⤵PID:3260
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP" /grant Administrators:F2⤵PID:2384
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA" /a2⤵PID:3104
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA" /grant Administrators:F2⤵PID:3668
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16" /a2⤵PID:2228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\utilman.exe" /a2⤵PID:2388
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16" /grant Administrators:F2⤵PID:1980
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\utilman.exe" /grant Administrators:F2⤵PID:1640
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE" /a2⤵PID:2356
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE" /grant Administrators:F2⤵PID:4708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller" /a2⤵PID:3872
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller" /grant Administrators:F2⤵PID:4528
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform" /a2⤵PID:3020
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform" /grant Administrators:F2⤵PID:1220
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.exe" /a2⤵PID:4284
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Source Engine" /a2⤵PID:3156
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.exe" /grant Administrators:F2⤵PID:2880
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Source Engine" /grant Administrators:F2⤵PID:8
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE" /a2⤵PID:432
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE" /grant Administrators:F2⤵PID:4820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Stationery" /a2⤵PID:4072
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.msc" /a2⤵PID:4740
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Stationery" /grant Administrators:F2⤵PID:2524
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.msc" /grant Administrators:F2⤵PID:3332
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\TextConv" /a2⤵PID:2380
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\TextConv" /grant Administrators:F2⤵PID:4272
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\TextConv\en-US" /a2⤵PID:2256
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\TextConv\en-US" /grant Administrators:F2⤵PID:2084
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Triedit" /a2⤵PID:2592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Triedit" /grant Administrators:F2⤵PID:1936
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Triedit\en-US" /a2⤵PID:1980
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\resmon.exe" /a2⤵PID:2136
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Triedit\en-US" /grant Administrators:F2⤵PID:532
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\resmon.exe" /grant Administrators:F2⤵PID:816
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VC" /a2⤵PID:3656
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VC" /grant Administrators:F2⤵PID:2336
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VGX" /a2⤵PID:3684
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VGX" /grant Administrators:F2⤵PID:708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO" /a2⤵PID:3872
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO" /grant Administrators:F2⤵PID:116
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sethc.exe" /a2⤵PID:3696
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0" /a2⤵PID:4336
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\sethc.exe" /grant Administrators:F2⤵PID:4120
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0" /grant Administrators:F2⤵PID:3116
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /a2⤵PID:2308
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2172
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033" /a2⤵PID:3988
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1736
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Services" /a2⤵PID:2156
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Services" /grant Administrators:F2⤵PID:4164
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskkill.exe" /a2⤵PID:3668
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System" /a2⤵PID:452
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskkill.exe" /grant Administrators:F2⤵PID:4960
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System" /grant Administrators:F2⤵
- Modifies file permissions
PID:3760
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado" /a2⤵PID:2212
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado" /grant Administrators:F2⤵PID:4896
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\de-DE" /a2⤵PID:928
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\de-DE" /grant Administrators:F2⤵PID:4468
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\en-US" /a2⤵PID:2232
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\en-US" /grant Administrators:F2⤵
- Modifies file permissions
PID:1372
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sfc.exe" /a2⤵PID:2544
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\es-ES" /a2⤵PID:3520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\sfc.exe" /grant Administrators:F2⤵PID:4528
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\es-ES" /grant Administrators:F2⤵PID:1220
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\fr-FR" /a2⤵PID:2908
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\fr-FR" /grant Administrators:F2⤵PID:3156
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\it-IT" /a2⤵PID:4452
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\it-IT" /grant Administrators:F2⤵PID:3872
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\ja-JP" /a2⤵PID:2136
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\ja-JP" /grant Administrators:F2⤵PID:3412
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\rundll32.exe" /a2⤵PID:2216
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\de-DE" /a2⤵PID:3296
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\rundll32.exe" /grant Administrators:F2⤵PID:1556
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\de-DE" /grant Administrators:F2⤵PID:1804
-
-
C:\windows\system32\vssadmin.exe"C:\windows\system32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2000
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\en-US" /a2⤵PID:5072
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\en-US" /grant Administrators:F2⤵PID:220
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\es-ES" /a2⤵PID:3912
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\es-ES" /grant Administrators:F2⤵PID:5092
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\fr-FR" /a2⤵PID:1144
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\fr-FR" /grant Administrators:F2⤵
- Modifies file permissions
PID:3784
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\it-IT" /a2⤵PID:4540
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\it-IT" /grant Administrators:F2⤵PID:744
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ja-JP" /a2⤵PID:3700
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ja-JP" /grant Administrators:F2⤵PID:2916
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc" /a2⤵PID:4280
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc" /grant Administrators:F2⤵PID:3696
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\de-DE" /a2⤵PID:3464
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\de-DE" /grant Administrators:F2⤵PID:1416
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\en-US" /a2⤵PID:3840
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\en-US" /grant Administrators:F2⤵PID:2216
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\es-ES" /a2⤵PID:4896
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\es-ES" /grant Administrators:F2⤵PID:2524
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\fr-FR" /a2⤵PID:2708
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\fr-FR" /grant Administrators:F2⤵PID:2580
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\it-IT" /a2⤵PID:276
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\it-IT" /grant Administrators:F2⤵PID:2176
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\ja-JP" /a2⤵PID:3960
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\ja-JP" /grant Administrators:F2⤵PID:3324
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB" /a2⤵PID:1640
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB" /grant Administrators:F2⤵PID:3140
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\de-DE" /a2⤵PID:1196
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\de-DE" /grant Administrators:F2⤵PID:1328
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\en-US" /a2⤵
- Modifies file permissions
PID:2928 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:744
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\en-US" /grant Administrators:F2⤵
- Modifies file permissions
PID:4808
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\es-ES" /a2⤵PID:3144
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\es-ES" /grant Administrators:F2⤵PID:3452
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\fr-FR" /a2⤵PID:1080
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\fr-FR" /grant Administrators:F2⤵PID:3696
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\it-IT" /a2⤵PID:3156
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\it-IT" /grant Administrators:F2⤵PID:2232
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\ja-JP" /a2⤵PID:2592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\ja-JP" /grant Administrators:F2⤵
- Modifies file permissions
PID:1628
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\uk-UA" /a2⤵PID:2380
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\uk-UA" /grant Administrators:F2⤵PID:3180
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad" /a2⤵PID:2228
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad" /grant Administrators:F2⤵PID:2236
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad\attachments" /a2⤵PID:3372
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad\attachments" /grant Administrators:F2⤵PID:4016
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad\reports" /a2⤵PID:5092
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad\reports" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:4308
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet" /a2⤵PID:4084
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet" /grant Administrators:F2⤵PID:3876
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\dotnet.exe" /a2⤵PID:2396
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\dotnet.exe" /grant Administrators:F2⤵PID:4120
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host" /a2⤵PID:4544
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host" /grant Administrators:F2⤵PID:1416
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr" /a2⤵PID:2624
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr" /grant Administrators:F2⤵PID:3520
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\6.0.27" /a2⤵PID:5048
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\6.0.27" /grant Administrators:F2⤵PID:4960
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\7.0.16" /a2⤵PID:288
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\7.0.16" /grant Administrators:F2⤵PID:3884
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\8.0.2" /a2⤵PID:2000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\8.0.2" /grant Administrators:F2⤵PID:5084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2232
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared" /a2⤵PID:2220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2236
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared" /grant Administrators:F2⤵PID:3820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App" /a2⤵PID:3784
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App" /grant Administrators:F2⤵PID:644
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27" /a2⤵PID:3192
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27" /grant Administrators:F2⤵PID:2632
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe" /a2⤵PID:2684
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe" /grant Administrators:F2⤵PID:2832
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16" /a2⤵PID:3032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16" /grant Administrators:F2⤵PID:336
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe" /a2⤵PID:3104
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe" /grant Administrators:F2⤵PID:1040
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2" /a2⤵PID:300
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2" /grant Administrators:F2⤵PID:3048
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe" /a2⤵PID:1628
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe" /grant Administrators:F2⤵PID:2580
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App" /a2⤵PID:4960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1416
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App" /grant Administrators:F2⤵PID:292
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27" /a2⤵PID:1400
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27" /grant Administrators:F2⤵PID:3864
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs" /a2⤵PID:3116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs" /grant Administrators:F2⤵PID:4464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de" /a2⤵PID:3028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4120
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de" /grant Administrators:F2⤵PID:2132
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es" /a2⤵PID:3872
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es" /grant Administrators:F2⤵PID:512
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr" /a2⤵PID:308
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr" /grant Administrators:F2⤵PID:2812
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it" /a2⤵PID:220
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it" /grant Administrators:F2⤵PID:2524
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja" /a2⤵PID:4516
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja" /grant Administrators:F2⤵PID:2624
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko" /a2⤵PID:4352
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko" /grant Administrators:F2⤵PID:2888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3876
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl" /a2⤵PID:336
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3032
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl" /grant Administrators:F2⤵PID:3700
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR" /a2⤵PID:1652
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR" /grant Administrators:F2⤵PID:3144
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru" /a2⤵PID:1080
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru" /grant Administrators:F2⤵PID:3140
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr" /a2⤵PID:3296
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr" /grant Administrators:F2⤵PID:2348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans" /a2⤵
- Possible privilege escalation attempt
PID:4368
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans" /grant Administrators:F2⤵PID:3156
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant" /a2⤵PID:4572
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant" /grant Administrators:F2⤵PID:1716
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16" /a2⤵PID:4016
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16" /grant Administrators:F2⤵PID:4056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3192
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs" /a2⤵PID:220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:308
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs" /grant Administrators:F2⤵PID:3784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1400
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de" /a2⤵PID:2872
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de" /grant Administrators:F2⤵PID:3684
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es" /a2⤵PID:5052
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es" /grant Administrators:F2⤵PID:1944
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr" /a2⤵PID:2908
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr" /grant Administrators:F2⤵PID:3840
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it" /a2⤵PID:3008
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it" /grant Administrators:F2⤵PID:2348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja" /a2⤵PID:1804
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja" /grant Administrators:F2⤵PID:5012
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko" /a2⤵PID:1984
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko" /grant Administrators:F2⤵PID:3984
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl" /a2⤵PID:304
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl" /grant Administrators:F2⤵PID:2000
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR" /a2⤵PID:3808
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR" /grant Administrators:F2⤵PID:3288
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru" /a2⤵PID:2272
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru" /grant Administrators:F2⤵PID:2872
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr" /a2⤵PID:4312
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr" /grant Administrators:F2⤵PID:3872
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans" /a2⤵PID:4876
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans" /grant Administrators:F2⤵
- Modifies file permissions
PID:3008
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant" /a2⤵PID:5084
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2884
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2" /a2⤵PID:1544
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1804
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs" /a2⤵PID:928
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs" /grant Administrators:F2⤵PID:1172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:336
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de" /a2⤵PID:8
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de" /grant Administrators:F2⤵PID:2904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es" /a2⤵PID:2720
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es" /grant Administrators:F2⤵PID:3020
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr" /a2⤵PID:3028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1652
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr" /grant Administrators:F2⤵PID:4368
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it" /a2⤵PID:532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2132
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it" /grant Administrators:F2⤵PID:112
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja" /a2⤵PID:4676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2632
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja" /grant Administrators:F2⤵PID:4572
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko" /a2⤵PID:3700
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko" /grant Administrators:F2⤵PID:5108
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl" /a2⤵PID:2384
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl" /grant Administrators:F2⤵PID:4392
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR" /a2⤵PID:2168
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR" /grant Administrators:F2⤵PID:280
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1080
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru" /a2⤵PID:3808
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru" /grant Administrators:F2⤵PID:1732
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr" /a2⤵PID:3028
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr" /grant Administrators:F2⤵PID:3508
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans" /a2⤵PID:2772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:292
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans" /grant Administrators:F2⤵PID:4676
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant" /a2⤵PID:4808
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant" /grant Administrators:F2⤵PID:876
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\swidtag" /a2⤵PID:4928
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\swidtag" /grant Administrators:F2⤵PID:3140
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google" /a2⤵PID:3008
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google" /grant Administrators:F2⤵PID:2248
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome" /a2⤵PID:280
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome" /grant Administrators:F2⤵PID:112
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application" /a2⤵PID:956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application" /grant Administrators:F2⤵PID:3464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\chrome.exe" /a2⤵PID:4120
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" /grant Administrators:F2⤵PID:5108
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60" /a2⤵PID:4312
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60" /grant Administrators:F2⤵PID:2248
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe" /a2⤵PID:2168
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe" /grant Administrators:F2⤵PID:300
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps" /a2⤵PID:4692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps" /grant Administrators:F2⤵PID:3368
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Extensions" /a2⤵PID:1172
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Extensions" /grant Administrators:F2⤵PID:1184
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer" /a2⤵PID:3048
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer" /grant Administrators:F2⤵PID:3092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3864
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" /a2⤵PID:816
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" /grant Administrators:F2⤵PID:5092
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales" /a2⤵PID:4120
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales" /grant Administrators:F2⤵PID:2108
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\MEIPreload" /a2⤵PID:3144
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\MEIPreload" /grant Administrators:F2⤵PID:3972
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded" /a2⤵PID:4192
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded" /grant Administrators:F2⤵PID:2376
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements" /a2⤵PID:116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements" /grant Administrators:F2⤵PID:1984
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm" /a2⤵PID:2300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3116
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm" /grant Administrators:F2⤵PID:928
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific" /a2⤵PID:3964
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific" /grant Administrators:F2⤵PID:4044
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64" /a2⤵PID:5000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64" /grant Administrators:F2⤵PID:3860
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\SetupMetrics" /a2⤵PID:300
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\SetupMetrics" /grant Administrators:F2⤵PID:4572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:816
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer" /a2⤵PID:2548
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer" /grant Administrators:F2⤵PID:2836
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ExtExport.exe" /a2⤵PID:3556
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ExtExport.exe" /grant Administrators:F2⤵
- Modifies file permissions
PID:3964
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\de-DE" /a2⤵PID:3624
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\de-DE" /grant Administrators:F2⤵PID:4640
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\en-US" /a2⤵PID:4924
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\en-US" /grant Administrators:F2⤵PID:1492
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\es-ES" /a2⤵PID:956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\es-ES" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:3412
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\fr-FR" /a2⤵PID:4572
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\fr-FR" /grant Administrators:F2⤵PID:4280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\images" /a2⤵PID:5108
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\images" /grant Administrators:F2⤵
- Modifies file permissions
PID:1112
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\it-IT" /a2⤵PID:4132
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\it-IT" /grant Administrators:F2⤵PID:3508
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ja-JP" /a2⤵PID:1944
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ja-JP" /grant Administrators:F2⤵PID:1732
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\SIGNUP" /a2⤵PID:2388
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\SIGNUP" /grant Administrators:F2⤵PID:1184
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\uk-UA" /a2⤵PID:2108
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\uk-UA" /grant Administrators:F2⤵PID:3840
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java" /a2⤵PID:3556
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java" /grant Administrators:F2⤵
- Modifies file permissions
PID:2484
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8" /a2⤵PID:1040
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8" /grant Administrators:F2⤵PID:4824
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\bin" /a2⤵PID:2676
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\bin" /grant Administrators:F2⤵PID:4520
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe" /a2⤵PID:3956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe" /grant Administrators:F2⤵PID:3872
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include" /a2⤵PID:4692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include" /grant Administrators:F2⤵PID:2872
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include\win32" /a2⤵PID:1708
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include\win32" /grant Administrators:F2⤵PID:3192
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2720
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include\win32\bridge" /a2⤵PID:4044
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include\win32\bridge" /grant Administrators:F2⤵PID:1544
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre" /a2⤵PID:3840
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre" /grant Administrators:F2⤵PID:1256
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin" /a2⤵PID:4120
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin" /grant Administrators:F2⤵PID:1492
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe" /a2⤵PID:5108
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe" /grant Administrators:F2⤵PID:3144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4016
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin" /a2⤵PID:2408
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin" /grant Administrators:F2⤵PID:112
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2" /a2⤵PID:512
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2" /grant Administrators:F2⤵PID:3784
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\server" /a2⤵PID:3140
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\server" /grant Administrators:F2⤵PID:4192
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal" /a2⤵PID:3412
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal" /grant Administrators:F2⤵PID:4120
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal\javafx" /a2⤵PID:3288
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal\javafx" /grant Administrators:F2⤵PID:3684
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal\jdk" /a2⤵PID:3048
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal\jdk" /grant Administrators:F2⤵PID:2484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3192
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib" /a2⤵PID:3508
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib" /grant Administrators:F2⤵PID:1280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\amd64" /a2⤵PID:4876
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\amd64" /grant Administrators:F2⤵PID:3700
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\applet" /a2⤵PID:3872
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\applet" /grant Administrators:F2⤵
- Modifies file permissions
PID:3784
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\cmm" /a2⤵PID:4120
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\cmm" /grant Administrators:F2⤵PID:5048
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\deploy" /a2⤵
- Modifies file permissions
PID:4676
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\deploy" /grant Administrators:F2⤵PID:1544
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\ext" /a2⤵PID:3840
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\ext" /grant Administrators:F2⤵PID:4384
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\fonts" /a2⤵PID:428
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\fonts" /grant Administrators:F2⤵PID:3096
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\images" /a2⤵PID:1492
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\images" /grant Administrators:F2⤵PID:2396
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors" /a2⤵PID:1172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4368
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors" /grant Administrators:F2⤵PID:1732
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\jfr" /a2⤵PID:3464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3008
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\jfr" /grant Administrators:F2⤵PID:3840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3684
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\management" /a2⤵PID:3984
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\management" /grant Administrators:F2⤵PID:4192
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security" /a2⤵PID:4520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security" /grant Administrators:F2⤵PID:3956
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy" /a2⤵PID:3912
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy" /grant Administrators:F2⤵PID:724
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited" /a2⤵PID:2248
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited" /grant Administrators:F2⤵PID:3872
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited" /a2⤵PID:2484
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited" /grant Administrators:F2⤵PID:112
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal" /a2⤵PID:1172
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal" /grant Administrators:F2⤵PID:2132
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal\javafx" /a2⤵PID:4476
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal\javafx" /grant Administrators:F2⤵PID:4888
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal\jdk" /a2⤵
- Modifies file permissions
PID:300
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal\jdk" /grant Administrators:F2⤵PID:1184
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\lib" /a2⤵PID:116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\lib" /grant Administrators:F2⤵PID:3840
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8" /a2⤵PID:4192
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8" /grant Administrators:F2⤵PID:4464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin" /a2⤵PID:5024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5092
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin" /grant Administrators:F2⤵
- Modifies file permissions
PID:1040
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\jabswitch.exe" /a2⤵PID:3784
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\jabswitch.exe" /grant Administrators:F2⤵PID:2484
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\dtplugin" /a2⤵PID:3144
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\dtplugin" /grant Administrators:F2⤵PID:1732
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\plugin2" /a2⤵PID:4944
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\plugin2" /grant Administrators:F2⤵PID:116
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\server" /a2⤵PID:3912
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\server" /grant Administrators:F2⤵PID:5012
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal" /a2⤵PID:3388
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal" /grant Administrators:F2⤵PID:4888
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal\javafx" /a2⤵PID:4876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3412
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal\javafx" /grant Administrators:F2⤵PID:3168
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal\jdk" /a2⤵PID:3020
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal\jdk" /grant Administrators:F2⤵PID:2944
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib" /a2⤵
- Possible privilege escalation attempt
PID:5000 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2348
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib" /grant Administrators:F2⤵PID:1708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\amd64" /a2⤵PID:2168
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\amd64" /grant Administrators:F2⤵PID:4808
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\applet" /a2⤵PID:4384
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\applet" /grant Administrators:F2⤵PID:4692
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\cmm" /a2⤵PID:956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3556
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\cmm" /grant Administrators:F2⤵PID:928
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\deploy" /a2⤵PID:3972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\deploy" /grant Administrators:F2⤵PID:300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1184
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\ext" /a2⤵PID:116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\ext" /grant Administrators:F2⤵PID:4256
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\fonts" /a2⤵PID:3168
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\fonts" /grant Administrators:F2⤵PID:4692
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\images" /a2⤵PID:2376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1944
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\images" /grant Administrators:F2⤵PID:3508
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\images\cursors" /a2⤵PID:5048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2872
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\images\cursors" /grant Administrators:F2⤵PID:4412
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\jfr" /a2⤵PID:4888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2108
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\jfr" /grant Administrators:F2⤵PID:4660
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\management" /a2⤵PID:116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\management" /grant Administrators:F2⤵PID:1112
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security" /a2⤵PID:3048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3028
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security" /grant Administrators:F2⤵PID:2708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy" /a2⤵PID:1256
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy" /grant Administrators:F2⤵PID:3840
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy\limited" /a2⤵PID:5048
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy\limited" /grant Administrators:F2⤵PID:4384
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited" /a2⤵PID:4824
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited" /grant Administrators:F2⤵PID:3296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office" /a2⤵PID:2708
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office" /grant Administrators:F2⤵PID:3464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\Office16" /a2⤵PID:876
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\Office16" /grant Administrators:F2⤵PID:296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE" /a2⤵PID:3092
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE" /grant Administrators:F2⤵PID:3700
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2772
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\PackageManifests" /a2⤵PID:3144
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\PackageManifests" /grant Administrators:F2⤵PID:4192
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root" /a2⤵PID:4924
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root" /grant Administrators:F2⤵PID:724
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Client" /a2⤵PID:1492
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Client" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2376
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe" /a2⤵PID:1464
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe" /grant Administrators:F2⤵PID:956
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16" /a2⤵PID:4640
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16" /grant Administrators:F2⤵PID:2300
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors" /a2⤵PID:2548
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors" /grant Administrators:F2⤵PID:3168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3140
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects" /a2⤵PID:3784
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects" /grant Administrators:F2⤵PID:1112
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts" /a2⤵PID:100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4192
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts" /grant Administrators:F2⤵PID:4044
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\fre" /a2⤵PID:4384
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\fre" /grant Administrators:F2⤵PID:4368
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration" /a2⤵PID:3116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration" /grant Administrators:F2⤵PID:5000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4476
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Integrator.exe" /a2⤵PID:2136
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Integrator.exe" /grant Administrators:F2⤵PID:3860
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Addons" /a2⤵PID:1708
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Addons" /grant Administrators:F2⤵PID:5108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3872
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe" /a2⤵PID:4384
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe" /grant Administrators:F2⤵PID:1464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Licenses" /a2⤵PID:4824
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Licenses" /grant Administrators:F2⤵PID:3684
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Licenses16" /a2⤵PID:1732
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Licenses16" /grant Administrators:F2⤵PID:2300
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\loc" /a2⤵PID:4280
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\loc" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:4888
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office15" /a2⤵PID:2252
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office15" /grant Administrators:F2⤵PID:4044
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16" /a2⤵PID:4924
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16" /grant Administrators:F2⤵PID:3944
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE" /a2⤵PID:724
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE" /grant Administrators:F2⤵PID:928
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033" /a2⤵PID:3464
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033" /grant Administrators:F2⤵PID:3388
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography" /a2⤵PID:3860
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography" /grant Administrators:F2⤵PID:5024
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices" /a2⤵PID:2484
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices" /grant Administrators:F2⤵PID:4520
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles" /a2⤵
- Possible privilege escalation attempt
PID:296
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles" /grant Administrators:F2⤵PID:3964
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1036" /a2⤵
- Modifies file permissions
PID:1492
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1036" /grant Administrators:F2⤵PID:3684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3048
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\3082" /a2⤵PID:724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:928
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\3082" /grant Administrators:F2⤵
- Modifies file permissions
PID:3388
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS" /a2⤵PID:100
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS" /grant Administrators:F2⤵PID:2376
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In" /a2⤵PID:4384
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In" /grant Administrators:F2⤵PID:4256
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated" /a2⤵PID:2548
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:3840
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin" /a2⤵PID:2252
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin" /grant Administrators:F2⤵PID:3020
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe" /a2⤵PID:3904
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe" /grant Administrators:F2⤵PID:1944
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in" /a2⤵PID:956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in" /grant Administrators:F2⤵PID:4044
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in" /a2⤵
- Possible privilege escalation attempt
PID:2408
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in" /grant Administrators:F2⤵PID:4928
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in" /a2⤵PID:452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4368
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in" /grant Administrators:F2⤵PID:3904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges" /a2⤵PID:3784
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges" /grant Administrators:F2⤵PID:1148
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en" /a2⤵PID:1732
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en" /grant Administrators:F2⤵PID:4256
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources" /a2⤵PID:4044
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources" /grant Administrators:F2⤵PID:1464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033" /a2⤵PID:3388
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033" /grant Administrators:F2⤵PID:3296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\AugLoop" /a2⤵PID:3020
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\AugLoop" /grant Administrators:F2⤵PID:2336
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Bibliography" /a2⤵PID:3144
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Bibliography" /grant Administrators:F2⤵PID:4924
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort" /a2⤵PID:1148
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort" /grant Administrators:F2⤵PID:3624
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style" /a2⤵PID:2336
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style" /grant Administrators:F2⤵PID:296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\BORDERS" /a2⤵PID:1372
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\BORDERS" /grant Administrators:F2⤵PID:3700
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Configuration" /a2⤵PID:2168
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Configuration" /grant Administrators:F2⤵PID:2172
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Document Parts" /a2⤵PID:3972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Document Parts" /grant Administrators:F2⤵PID:4016
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033" /a2⤵PID:4412
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033" /grant Administrators:F2⤵PID:724
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16" /a2⤵PID:512
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16" /grant Administrators:F2⤵PID:3904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f14" /a2⤵PID:1708
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f14" /grant Administrators:F2⤵PID:3964
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f2" /a2⤵PID:1372
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f2" /grant Administrators:F2⤵PID:5000
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f3" /a2⤵
- Modifies file permissions
PID:1256
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f3" /grant Administrators:F2⤵PID:2168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3956
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f33" /a2⤵PID:4660
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f33" /grant Administrators:F2⤵PID:2228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f4" /a2⤵PID:2676
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f4" /grant Administrators:F2⤵PID:4412
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f7" /a2⤵PID:1720
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f7" /grant Administrators:F2⤵PID:3388
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006" /a2⤵PID:4924
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006" /grant Administrators:F2⤵PID:2408
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008" /a2⤵PID:1944
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008" /grant Administrators:F2⤵PID:2228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009" /a2⤵PID:5076
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009" /grant Administrators:F2⤵PID:3168
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011" /a2⤵PID:4660
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011" /grant Administrators:F2⤵PID:5000
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050" /a2⤵PID:2548
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050" /grant Administrators:F2⤵PID:1256
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_w1" /a2⤵PID:1148
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_w1" /grant Administrators:F2⤵
- Modifies file permissions
PID:956
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Library" /a2⤵PID:3972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Library" /grant Administrators:F2⤵PID:1708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis" /a2⤵PID:3144
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis" /grant Administrators:F2⤵PID:4512
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER" /a2⤵PID:3388
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER" /grant Administrators:F2⤵PID:3972
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard" /a2⤵PID:3904
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard" /grant Administrators:F2⤵PID:3912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images" /a2⤵PID:428
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images" /grant Administrators:F2⤵PID:956
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default" /a2⤵PID:1148
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default" /grant Administrators:F2⤵PID:3296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LogoImages" /a2⤵PID:3776
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LogoImages" /grant Administrators:F2⤵PID:1492
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MEDIA" /a2⤵PID:4660
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MEDIA" /grant Administrators:F2⤵PID:3912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC" /a2⤵PID:5024
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC" /grant Administrators:F2⤵PID:3116
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar" /a2⤵PID:3904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:452
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar" /grant Administrators:F2⤵PID:724
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg" /a2⤵PID:3624
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg" /grant Administrators:F2⤵PID:2228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca" /a2⤵PID:4660
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca" /grant Administrators:F2⤵PID:3964
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs" /a2⤵PID:2408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3144
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs" /grant Administrators:F2⤵PID:1492
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\da" /a2⤵PID:2228
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\da" /grant Administrators:F2⤵PID:100
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\de" /a2⤵PID:3296
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\de" /grant Administrators:F2⤵PID:1464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\el" /a2⤵PID:3904
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\el" /grant Administrators:F2⤵PID:1372
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us" /a2⤵PID:1736
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us" /grant Administrators:F2⤵PID:100
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\es" /a2⤵
- Modifies file permissions
PID:3944
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\es" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:3028
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\et" /a2⤵PID:3700
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\et" /grant Administrators:F2⤵PID:4412
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu" /a2⤵PID:3912
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2376
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi" /a2⤵PID:4044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2168
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi" /grant Administrators:F2⤵PID:2248
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr" /a2⤵PID:1148
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr" /grant Administrators:F2⤵PID:1944
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl" /a2⤵PID:296
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl" /grant Administrators:F2⤵PID:2548
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\he" /a2⤵PID:956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\he" /grant Administrators:F2⤵
- Modifies file permissions
PID:3116
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi" /a2⤵PID:3624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1464
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi" /grant Administrators:F2⤵PID:2548
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr" /a2⤵PID:3840
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr" /grant Administrators:F2⤵PID:3944
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu" /a2⤵PID:2248
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu" /grant Administrators:F2⤵PID:1708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\id" /a2⤵PID:5024
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\id" /grant Administrators:F2⤵PID:2548
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\it" /a2⤵PID:3776
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\it" /grant Administrators:F2⤵PID:1944
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja" /a2⤵
- Possible privilege escalation attempt
PID:956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja" /grant Administrators:F2⤵PID:3684
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk" /a2⤵PID:5000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk" /grant Administrators:F2⤵PID:2676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3964
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko" /a2⤵PID:1944
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko" /grant Administrators:F2⤵PID:4400
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt" /a2⤵PID:956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt" /grant Administrators:F2⤵PID:724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2248
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv" /a2⤵PID:3168
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv" /grant Administrators:F2⤵PID:3116
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms" /a2⤵PID:1256
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms" /grant Administrators:F2⤵PID:2548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2408
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl" /a2⤵PID:3388
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl" /grant Administrators:F2⤵PID:1708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\no" /a2⤵PID:1944
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\no" /grant Administrators:F2⤵PID:2676
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl" /a2⤵PID:724
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl" /grant Administrators:F2⤵PID:3932
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt" /a2⤵PID:4256
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt" /grant Administrators:F2⤵PID:3840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3700
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR" /a2⤵PID:724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4412
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR" /grant Administrators:F2⤵PID:3776
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro" /a2⤵
- Possible privilege escalation attempt
PID:4512
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro" /grant Administrators:F2⤵PID:2228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru" /a2⤵PID:2548
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru" /grant Administrators:F2⤵PID:1372
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk" /a2⤵PID:5024
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk" /grant Administrators:F2⤵PID:3296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl" /a2⤵PID:2248
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl" /grant Administrators:F2⤵PID:4512
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA" /a2⤵PID:2676
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA" /grant Administrators:F2⤵PID:4256
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2548
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS" /a2⤵PID:2228
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS" /grant Administrators:F2⤵PID:3904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS" /a2⤵PID:1256
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4924
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS" /grant Administrators:F2⤵PID:4400
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv" /a2⤵PID:1944
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv" /grant Administrators:F2⤵PID:4256
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\th" /a2⤵PID:4400
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\th" /grant Administrators:F2⤵PID:3972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4044
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr" /a2⤵PID:5000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr" /grant Administrators:F2⤵PID:2248
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk" /a2⤵PID:1492
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk" /grant Administrators:F2⤵PID:3840
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi" /a2⤵PID:2676
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi" /grant Administrators:F2⤵PID:3460
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN" /a2⤵PID:4864
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN" /grant Administrators:F2⤵PID:2228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW" /a2⤵PID:3776
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW" /grant Administrators:F2⤵PID:2676
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers" /a2⤵PID:3296
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers" /grant Administrators:F2⤵PID:1372
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift" /a2⤵
- Possible privilege escalation attempt
PID:3168 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1492
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift" /grant Administrators:F2⤵PID:936
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib" /a2⤵PID:724
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib" /grant Administrators:F2⤵PID:4864
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA" /a2⤵PID:4256
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA" /grant Administrators:F2⤵PID:3840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:956
-
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce" /a2⤵PID:2448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1720
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce" /grant Administrators:F2⤵PID:3296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib" /a2⤵PID:5024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3776
-
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib" /grant Administrators:F2⤵PID:5132
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033" /a2⤵PID:5180
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033" /grant Administrators:F2⤵PID:5228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA" /a2⤵PID:5300
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA" /grant Administrators:F2⤵PID:5356
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA" /a2⤵PID:5412
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA" /grant Administrators:F2⤵PID:5464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA" /a2⤵PID:5520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA" /grant Administrators:F2⤵PID:5572
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\OneNote" /a2⤵PID:5632
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\OneNote" /grant Administrators:F2⤵PID:5688
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\osfFPA" /a2⤵PID:5736
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\osfFPA" /grant Administrators:F2⤵PID:5792
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE" /a2⤵PID:5848
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE" /grant Administrators:F2⤵PID:5896
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\PersonaSpy" /a2⤵PID:5944
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\PersonaSpy" /grant Administrators:F2⤵PID:5996
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\PROOF" /a2⤵PID:6044
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\PROOF" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:6112
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\QUERIES" /a2⤵PID:5172
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\QUERIES" /grant Administrators:F2⤵PID:5160
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\SAMPLES" /a2⤵
- Possible privilege escalation attempt
PID:5264
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\SAMPLES" /grant Administrators:F2⤵PID:5348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs" /a2⤵PID:5404
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs" /grant Administrators:F2⤵PID:5428
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018" /a2⤵PID:5480
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018" /grant Administrators:F2⤵PID:5592
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview" /a2⤵PID:5572
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:5636
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib" /a2⤵PID:5716
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib" /grant Administrators:F2⤵PID:5740
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common" /a2⤵PID:5796
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common" /grant Administrators:F2⤵PID:5884
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets" /a2⤵PID:5792
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets" /grant Administrators:F2⤵PID:5964
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027" /a2⤵PID:6032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027" /grant Administrators:F2⤵PID:6060
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets" /a2⤵PID:6128
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:5024
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons" /a2⤵PID:5148
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons" /grant Administrators:F2⤵PID:5284
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042" /a2⤵PID:5332
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042" /grant Administrators:F2⤵PID:5364
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets" /a2⤵PID:5160
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets" /grant Administrators:F2⤵PID:5476
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets" /a2⤵PID:5588
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets" /grant Administrators:F2⤵PID:5652
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images" /a2⤵PID:5504
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images" /grant Administrators:F2⤵PID:5696
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049" /a2⤵PID:5776
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049" /grant Administrators:F2⤵PID:5908
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv" /a2⤵PID:5912
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv" /grant Administrators:F2⤵
- Modifies file permissions
PID:5980
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE" /a2⤵PID:6000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE" /grant Administrators:F2⤵PID:6108
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\STARTUP" /a2⤵PID:5192
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\STARTUP" /grant Administrators:F2⤵PID:5964
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\XLSTART" /a2⤵PID:5184
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\XLSTART" /grant Administrators:F2⤵PID:5304
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\rsod" /a2⤵
- Modifies file permissions
PID:5448
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\rsod" /grant Administrators:F2⤵PID:5148
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates" /a2⤵PID:5152
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates" /grant Administrators:F2⤵PID:5564
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033" /a2⤵PID:5356
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033" /grant Administrators:F2⤵PID:5668
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16" /a2⤵PID:5632
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16" /grant Administrators:F2⤵PID:5768
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE" /a2⤵PID:5724
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE" /grant Administrators:F2⤵PID:5828
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16" /a2⤵PID:5928
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16" /grant Administrators:F2⤵PID:5924
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery" /a2⤵PID:5980
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery" /grant Administrators:F2⤵PID:6092
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs" /a2⤵PID:5164
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs" /grant Administrators:F2⤵PID:5156
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs" /a2⤵PID:6052
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs" /grant Administrators:F2⤵PID:5228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData" /a2⤵PID:3620
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData" /grant Administrators:F2⤵PID:4420
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft" /a2⤵PID:5380
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft" /grant Administrators:F2⤵PID:5596
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE" /a2⤵PID:5216
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE" /grant Administrators:F2⤵PID:5464
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat" /a2⤵PID:4592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat" /grant Administrators:F2⤵PID:5744
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help" /a2⤵PID:5824
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help" /grant Administrators:F2⤵PID:5776
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Fonts" /a2⤵PID:5948
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Fonts" /grant Administrators:F2⤵PID:5844
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Fonts\private" /a2⤵PID:6048
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Fonts\private" /grant Administrators:F2⤵PID:6032
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64" /a2⤵PID:5932
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64" /grant Administrators:F2⤵PID:5204
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER" /a2⤵PID:5360
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER" /grant Administrators:F2⤵PID:5364
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared" /a2⤵PID:3620
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:5772
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW" /a2⤵PID:1256
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW" /grant Administrators:F2⤵PID:5312
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" /a2⤵PID:5532
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" /grant Administrators:F2⤵PID:5648
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION" /a2⤵PID:5984
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION" /grant Administrators:F2⤵PID:5892
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033" /a2⤵PID:2548
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033" /grant Administrators:F2⤵PID:6140
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO" /a2⤵PID:4592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO" /grant Administrators:F2⤵PID:6096
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters" /a2⤵PID:6124
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters" /grant Administrators:F2⤵PID:5200
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4524
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2ec 0x4981⤵PID:3176
-
C:\Windows\system32\usoclient.exeC:\Windows\system32\usoclient.exe StartScan1⤵PID:5052
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD5e98132129444e3c04a8068fb7991503b
SHA1cd18bc6770e54e81395e8d2037bdd37aecf87fff
SHA25691e2b43778246427b2408226cd8414e7e38bf61efb1247e2f7f6c45ce338bd88
SHA512ff2316f346626163bda5563bb569650a5a9b4b1b5c175425509272dfdb7541622e0920055beacd1612ff025b6b6ba075ec28da06d155a2fd75f08a255e5b99bb
-
Filesize
8.0MB
MD5ce4d177433ceab4a2fa45595cd23025f
SHA11f6b5bb223afbc577e9dfaa58ac8fed70eefe284
SHA25616953bb5139ff42efb69e558acaa95715cac94b2761c89abaa88dde77dcd63d5
SHA51291480157bf40013a753fc3df0354934e6c1c9fbb6a04a0ae126e0e751c613857ddf6662dc0042b970a517c1aa57544a47203ba95050be2ff557b525c89c5f13e
-
Filesize
8.0MB
MD5e7020e70d7076429f6e86f1666661b6d
SHA139a349b9d8161c2c1be9cc7c6b29d709135465c8
SHA256fc5d82a054c8df8bb1243cead7bf762f034e8c0d63a94876f4584710cc2b9748
SHA512b2ab9084d2f8e549e3e1c124fbc0aedfd35c6fad2672dd87100e660e6047aaeb2ec9d77542b786ca86988d1aceac0b3e5d735c2a9b4a2fed71f513a232704494
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\945734880
Filesize2.7MB
MD5a3ab3ca9291b7ba693006e769e849225
SHA1cf63932fa6dcc6735af25dc921e5ebec3c04b371
SHA25638198b75153e8c0925b3fe946d2628072bf20bfea5772432005f4d033a9a56da
SHA512ce57a0b39c7d32c361c290e8d666652874c4c25c35eb183f8520b8acc3c973fa44d7a5ea8f0055b244af7ff5490524ba7414fee1da877faa4dd490b016126d51
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\241397553
Filesize1.0MB
MD53d724a41534c152d56d5ec8711786043
SHA1358793e7be3b348fc9546258b2fa22cdf1bdd260
SHA256a72027d8620859bca16fdb095de23090921ed5076f3d4781ae6dfedf141e2997
SHA5127c5320b1d46922d2e5df62521469d0d0ab571c278ee4becb7a06e5a374835fbdec48129abe787867a28392d3fe2a8028c669eebfbd75353f4cc3c0936c01c38a
-
Filesize
307KB
MD5f1a9b4b1f750bb90b7240f38aa3fd939
SHA14d630bd6b89f4ba0315ed37035d5e32775a7b969
SHA2567cc9be747a138d8b9e716ee5f16188215b730af91d9fe954d8e172f515f5b498
SHA512e4d6eea0e415d27f39224af29cef84bd55fb098b06c7aaee38d6eac34621ca3585bbae0d2fc2938bbe5755fd6d3bbbf47f9c4bc29a6e6914f761c1c76e4a107f
-
Filesize
2KB
MD5b0af6cf00c41fe07b91f0b69064cf6df
SHA104226581053a378c45bb68d302b1ece612caefb5
SHA256edb83b12f965662b1625191dc226803e38fde822898cab4bfe5b2c2b96371525
SHA512b13bbef0a381fa2cf91cb06990d089dbb3d386b176de97294feb8de0e95a3b630ada8fa5d871acbc92c63cc20b27b42c1bb99cb47462031cf1a20b175aa7f5a2
-
Filesize
1KB
MD5888f9fabb88a863c8efc9ef6c336995a
SHA15e94317fb2477e50616394941d3575ea6579725d
SHA2568e46e23005c0fb1456b3e5d9fe4d0b310437bf4a849dad1582eebd6974a76a7c
SHA51267a5b05daf443325bd8e5e8dab0b7144f66583eabcde97caf498b242601aaababd774f447487e1cb4c206ef0e7b226b373edcc084ce5c72cc99fac51b18611cf
-
Filesize
35KB
MD562f170fb07fdbb79ceb7147101406eb8
SHA1d9bbb4e4900ff03b0486fac32768170249dad82d
SHA25653e000f5aa9b3a00934319db8080bb99cb323bf48fc628a64f75d7847c265606
SHA51281bd918ec7617acea3d8b5659ac518e5bc19e585f49bdd601fff6fadea95f2fd57450ee41d181280089b92c949289249a350aa5428e2e31b53fdff2f47c46265