9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d

Resubmissions

28/03/2025, 14:59

250328-sc4wsazjx2 10

28/03/2025, 14:53

250328-r9rr2sxwbz 10

27/03/2025, 13:35

250327-qvr9laswew 10

Analysis

max time kernel
199s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JKT48.exe
Size

8.0MB
MD5

41f5bac802f5e79dc2ca7a3db25d0001
SHA1

ce56c42cadd2db13edf03c15ce3b11c2cfa00f9e
SHA256

9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d
SHA512

94705e83ce1b104954be07210ea3648c7403a6dd86ebaf6e884ced1552636b6a05a3b2926415d6c49ff251a675815435e4b2a3c8f816bbbf68c08c3299db99ab
SSDEEP

196608:PF35AX/ip4e/aS3e+gr80KILDjhoOX9oeqZ8r8swzH0e:d3KX/o4eSTr80xHhJ8s63

Score

10^/10

bootkit defense_evasion discovery evasion execution exploit impact persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	JKT48.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	JKT48.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 32 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe\Debugger = "*/"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
2972	icacls.exe
1952	icacls.exe
2968	takeown.exe
1900	icacls.exe
2772	takeown.exe
900	takeown.exe
1980	takeown.exe
1480	takeown.exe
1720	icacls.exe
2036	takeown.exe
2116	takeown.exe
1492	takeown.exe
2764	icacls.exe
2264	takeown.exe
2512	Process not Found
2348	takeown.exe
1592	takeown.exe
2780	takeown.exe
1516	icacls.exe
2708	icacls.exe
1300	icacls.exe
772	takeown.exe
2476	icacls.exe
592	icacls.exe
1868	Process not Found
552	takeown.exe
2852	takeown.exe
1148	icacls.exe
1440	takeown.exe
1732	icacls.exe
1972	icacls.exe
2512	takeown.exe
2920	icacls.exe
1444	takeown.exe
2848	takeown.exe
1968	icacls.exe
1824	takeown.exe
2296	takeown.exe
2920	icacls.exe
2576	icacls.exe
1960	takeown.exe
1448	takeown.exe
572	Process not Found
2448	icacls.exe
1732	Process not Found
1484	icacls.exe
1508	takeown.exe
1260	takeown.exe
1088	takeown.exe
1880	icacls.exe
2356	icacls.exe
2956	icacls.exe
2412	takeown.exe
812	icacls.exe
2812	takeown.exe
1960	takeown.exe
2176	takeown.exe
2916	takeown.exe
2504	icacls.exe
2980	takeown.exe
2484	icacls.exe
1672	takeown.exe
2340	Process not Found
1752	icacls.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2576	icacls.exe
2520	takeown.exe
2960	icacls.exe
1204	takeown.exe
2020	icacls.exe
1224	icacls.exe
1516	icacls.exe
3040	icacls.exe
536	takeown.exe
2176	takeown.exe
2360	Process not Found
840	Process not Found
1556	takeown.exe
1892	icacls.exe
1476	icacls.exe
2100	takeown.exe
2520	icacls.exe
2884	Process not Found
2440	takeown.exe
812	icacls.exe
2452	Process not Found
1300	takeown.exe
1432	icacls.exe
2840	icacls.exe
2268	icacls.exe
1448	takeown.exe
892	takeown.exe
2904	Process not Found
2920	icacls.exe
596	takeown.exe
1476	takeown.exe
2896	icacls.exe
2220	icacls.exe
2736	icacls.exe
2056	icacls.exe
1528	icacls.exe
2132	icacls.exe
2912	takeown.exe
1680	Process not Found
2348	Process not Found
1888	takeown.exe
812	icacls.exe
2648	takeown.exe
3040	takeown.exe
2876	icacls.exe
592	takeown.exe
1160	takeown.exe
596	icacls.exe
1712	takeown.exe
2700	icacls.exe
1416	takeown.exe
1892	takeown.exe
1980	takeown.exe
2576	icacls.exe
2812	takeown.exe
2820	Process not Found
1868	Process not Found
2648	Process not Found
2584	takeown.exe
1440	takeown.exe
2364	icacls.exe
1088	icacls.exe
2100	takeown.exe
2064	takeown.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JKT48.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\windows\system32\sfc.exe	JKT48.exe
File created	C:\windows\system32\ntoskrnl.exe	JKT48.exe
File created	C:\windows\system32\cmd.exe	JKT48.exe
File created	C:\windows\system32\rundll32.exe	JKT48.exe
File created	C:\windows\syswow64\utilman.exe	JKT48.exe
File created	C:\windows\syswow64\sfc.exe	JKT48.exe
File created	C:\windows\system32\msconfig.exe	JKT48.exe
File created	C:\windows\system32\rstrui.exe	JKT48.exe
File created	C:\windows\syswow64\regedit.exe	JKT48.exe
File created	C:\windows\syswow64\cmd.exe	JKT48.exe
File created	C:\windows\syswow64\reg.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.exe	JKT48.exe
File created	C:\windows\syswow64\rundll32.exe	JKT48.exe
File created	C:\windows\system32\taskmgr.exe	JKT48.exe
File created	C:\windows\system32\utilman.exe	JKT48.exe
File created	C:\windows\system32\perfmon.exe	JKT48.exe
File created	C:\windows\system32\hal.dll	JKT48.exe
File created	C:\windows\syswow64\resmon.exe	JKT48.exe
File created	C:\windows\syswow64\taskkill.exe	JKT48.exe
File created	C:\windows\system32\reg.exe	JKT48.exe
File created	C:\windows\system32\sethc.exe	JKT48.exe
File created	C:\windows\system32\taskkill.exe	JKT48.exe
File created	C:\windows\syswow64\taskmgr.exe	JKT48.exe
File created	C:\windows\system32\perfmon.msc	JKT48.exe
File created	C:\windows\system32\logonui.exe	JKT48.exe
File created	C:\windows\system32\winload.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.msc	JKT48.exe
File created	C:\windows\syswow64\sethc.exe	JKT48.exe
File created	C:\windows\system32\resmon.exe	JKT48.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\RCX152D.tmp	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\RCXFE7E.tmp	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\407148144	JKT48.exe
File opened for modification	C:\Program Files\Internet Explorer\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\RCX4DD3.tmp	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX1E79.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\918504717	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\RCX4C8A.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\838530137	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\RCX40AA.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\RCX42AE.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\404429137	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX1CA.tmp	JKT48.exe
File created	C:\Program Files\Microsoft Games\FreeCell\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\DVD Maker\186622402	JKT48.exe
File opened for modification	C:\Program Files\Java\jre7\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\RCX460C.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX1E78.tmp	JKT48.exe
File opened for modification	C:\Program Files\Internet Explorer\167933631	JKT48.exe
File created	C:\Program Files\Microsoft Games\Hearts\910415639	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\RCX4475.tmp	JKT48.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\374445000	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\DVD Maker\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\RCX47A4.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\918504717	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\910415639	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\407148144	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX1A2E.tmp	JKT48.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\RCX4B41.tmp	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\404429137	JKT48.exe
File created	C:\Program Files\DVD Maker\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\RCX42AF.tmp	JKT48.exe
File created	C:\Program Files\Microsoft Games\Hearts\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Internet Explorer\167933631	JKT48.exe
File created	C:\Program Files\Microsoft Games\Purble Place\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\23501032	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\RCX1C34.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\RCX1C35.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\RCX4A06.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\660849372	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX1A2F.tmp	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\374445000	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX1CB.tmp	JKT48.exe
File created	C:\Program Files\Internet Explorer\msvcp120ex.dll	JKT48.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\regedit.exe	JKT48.exe
File created	C:\windows\servicing\trustedinstaller.exe	JKT48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2480	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2108	JKT48.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	JKT48.exe
Token: SeDebugPrivilege	2108	JKT48.exe
Token: SeIncBasePriorityPrivilege	2108	JKT48.exe
Token: SeTakeOwnershipPrivilege	2164	takeown.exe
Token: SeTakeOwnershipPrivilege	1440	takeown.exe
Token: SeTakeOwnershipPrivilege	2584	takeown.exe
Token: SeTakeOwnershipPrivilege	328	takeown.exe
Token: SeTakeOwnershipPrivilege	1668	takeown.exe
Token: SeTakeOwnershipPrivilege	1580	takeown.exe
Token: SeTakeOwnershipPrivilege	988	takeown.exe
Token: SeTakeOwnershipPrivilege	2116	takeown.exe
Token: SeTakeOwnershipPrivilege	2924	takeown.exe
Token: SeTakeOwnershipPrivilege	1160	takeown.exe
Token: SeTakeOwnershipPrivilege	2244	takeown.exe
Token: SeTakeOwnershipPrivilege	1780	takeown.exe
Token: SeTakeOwnershipPrivilege	2224	takeown.exe
Token: SeTakeOwnershipPrivilege	1632	takeown.exe
Token: SeTakeOwnershipPrivilege	2000	takeown.exe
Token: SeTakeOwnershipPrivilege	1972	takeown.exe
Token: SeTakeOwnershipPrivilege	348	takeown.exe
Token: SeTakeOwnershipPrivilege	2348	takeown.exe
Token: SeTakeOwnershipPrivilege	3036	takeown.exe
Token: SeTakeOwnershipPrivilege	2288	takeown.exe
Token: SeTakeOwnershipPrivilege	2712	takeown.exe
Token: SeTakeOwnershipPrivilege	2744	takeown.exe
Token: SeTakeOwnershipPrivilege	2784	takeown.exe
Token: SeTakeOwnershipPrivilege	2648	takeown.exe
Token: SeTakeOwnershipPrivilege	2132	takeown.exe
Token: SeTakeOwnershipPrivilege	2176	takeown.exe
Token: SeTakeOwnershipPrivilege	1800	takeown.exe
Token: SeTakeOwnershipPrivilege	1532	takeown.exe
Token: SeTakeOwnershipPrivilege	2020	takeown.exe
Token: SeTakeOwnershipPrivilege	2028	takeown.exe
Token: SeTakeOwnershipPrivilege	2032	takeown.exe
Token: SeTakeOwnershipPrivilege	2100	takeown.exe
Token: SeTakeOwnershipPrivilege	2204	takeown.exe
Token: SeTakeOwnershipPrivilege	2584	takeown.exe
Token: SeTakeOwnershipPrivilege	988	takeown.exe
Token: SeTakeOwnershipPrivilege	1492	takeown.exe
Token: SeTakeOwnershipPrivilege	1556	takeown.exe
Token: SeTakeOwnershipPrivilege	1888	takeown.exe
Token: SeTakeOwnershipPrivilege	2068	takeown.exe
Token: SeTakeOwnershipPrivilege	3056	takeown.exe
Token: SeTakeOwnershipPrivilege	1124	takeown.exe
Token: SeTakeOwnershipPrivilege	2916	takeown.exe
Token: SeTakeOwnershipPrivilege	2772	takeown.exe
Token: SeTakeOwnershipPrivilege	2532	takeown.exe
Token: SeTakeOwnershipPrivilege	2952	takeown.exe
Token: SeTakeOwnershipPrivilege	2176	takeown.exe
Token: SeTakeOwnershipPrivilege	2724	takeown.exe
Token: SeTakeOwnershipPrivilege	1512	takeown.exe
Token: SeTakeOwnershipPrivilege	1800	takeown.exe
Token: SeTakeOwnershipPrivilege	1440	takeown.exe
Token: SeTakeOwnershipPrivilege	2448	takeown.exe
Token: SeTakeOwnershipPrivilege	2092	takeown.exe
Token: SeTakeOwnershipPrivilege	952	takeown.exe
Token: SeTakeOwnershipPrivilege	2204	takeown.exe
Token: SeTakeOwnershipPrivilege	808	takeown.exe
Token: SeTakeOwnershipPrivilege	2236	takeown.exe
Token: SeTakeOwnershipPrivilege	2328	takeown.exe
Token: SeTakeOwnershipPrivilege	2124	takeown.exe
Token: SeTakeOwnershipPrivilege	3036	takeown.exe
Token: SeTakeOwnershipPrivilege	2084	takeown.exe
Token: SeTakeOwnershipPrivilege	1592	takeown.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe
2108	JKT48.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2700	2108	JKT48.exe	30
PID 2108 wrote to memory of 2700	2108	JKT48.exe	30
PID 2108 wrote to memory of 2700	2108	JKT48.exe	30
PID 2108 wrote to memory of 536	2108	JKT48.exe	32
PID 2108 wrote to memory of 536	2108	JKT48.exe	32
PID 2108 wrote to memory of 536	2108	JKT48.exe	32
PID 2108 wrote to memory of 2768	2108	JKT48.exe	34
PID 2108 wrote to memory of 2768	2108	JKT48.exe	34
PID 2108 wrote to memory of 2768	2108	JKT48.exe	34
PID 2108 wrote to memory of 2916	2108	JKT48.exe	36
PID 2108 wrote to memory of 2916	2108	JKT48.exe	36
PID 2108 wrote to memory of 2916	2108	JKT48.exe	36
PID 2108 wrote to memory of 3012	2108	JKT48.exe	38
PID 2108 wrote to memory of 3012	2108	JKT48.exe	38
PID 2108 wrote to memory of 3012	2108	JKT48.exe	38
PID 2108 wrote to memory of 2628	2108	JKT48.exe	40
PID 2108 wrote to memory of 2628	2108	JKT48.exe	40
PID 2108 wrote to memory of 2628	2108	JKT48.exe	40
PID 2108 wrote to memory of 2944	2108	JKT48.exe	42
PID 2108 wrote to memory of 2944	2108	JKT48.exe	42
PID 2108 wrote to memory of 2944	2108	JKT48.exe	42
PID 2108 wrote to memory of 2972	2108	JKT48.exe	44
PID 2108 wrote to memory of 2972	2108	JKT48.exe	44
PID 2108 wrote to memory of 2972	2108	JKT48.exe	44
PID 2108 wrote to memory of 2668	2108	JKT48.exe	46
PID 2108 wrote to memory of 2668	2108	JKT48.exe	46
PID 2108 wrote to memory of 2668	2108	JKT48.exe	46
PID 2108 wrote to memory of 2632	2108	JKT48.exe	48
PID 2108 wrote to memory of 2632	2108	JKT48.exe	48
PID 2108 wrote to memory of 2632	2108	JKT48.exe	48
PID 2108 wrote to memory of 2692	2108	JKT48.exe	50
PID 2108 wrote to memory of 2692	2108	JKT48.exe	50
PID 2108 wrote to memory of 2692	2108	JKT48.exe	50
PID 2108 wrote to memory of 2268	2108	JKT48.exe	52
PID 2108 wrote to memory of 2268	2108	JKT48.exe	52
PID 2108 wrote to memory of 2268	2108	JKT48.exe	52
PID 2108 wrote to memory of 2164	2108	JKT48.exe	54
PID 2108 wrote to memory of 2164	2108	JKT48.exe	54
PID 2108 wrote to memory of 2164	2108	JKT48.exe	54
PID 2108 wrote to memory of 2372	2108	JKT48.exe	56
PID 2108 wrote to memory of 2372	2108	JKT48.exe	56
PID 2108 wrote to memory of 2372	2108	JKT48.exe	56
PID 2108 wrote to memory of 2036	2108	JKT48.exe	58
PID 2108 wrote to memory of 2036	2108	JKT48.exe	58
PID 2108 wrote to memory of 2036	2108	JKT48.exe	58
PID 2108 wrote to memory of 1868	2108	JKT48.exe	60
PID 2108 wrote to memory of 1868	2108	JKT48.exe	60
PID 2108 wrote to memory of 1868	2108	JKT48.exe	60
PID 2108 wrote to memory of 1980	2108	JKT48.exe	62
PID 2108 wrote to memory of 1980	2108	JKT48.exe	62
PID 2108 wrote to memory of 1980	2108	JKT48.exe	62
PID 2108 wrote to memory of 980	2108	JKT48.exe	64
PID 2108 wrote to memory of 980	2108	JKT48.exe	64
PID 2108 wrote to memory of 980	2108	JKT48.exe	64
PID 2108 wrote to memory of 1612	2108	JKT48.exe	66
PID 2108 wrote to memory of 1612	2108	JKT48.exe	66
PID 2108 wrote to memory of 1612	2108	JKT48.exe	66
PID 2108 wrote to memory of 1440	2108	JKT48.exe	68
PID 2108 wrote to memory of 1440	2108	JKT48.exe	68
PID 2108 wrote to memory of 1440	2108	JKT48.exe	68
PID 2108 wrote to memory of 2024	2108	JKT48.exe	70
PID 2108 wrote to memory of 2024	2108	JKT48.exe	70
PID 2108 wrote to memory of 2024	2108	JKT48.exe	70
PID 2108 wrote to memory of 2008	2108	JKT48.exe	72

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JKT48.exe
"C:\Users\Admin\AppData\Local\Temp\JKT48.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin" /a
  2⤵
  PID:2700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin" /grant Administrators:F
  2⤵
  PID:536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000" /a
  2⤵
  PID:2768
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000" /grant Administrators:F
  2⤵
  PID:2916
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Documents and Settings" /a
  2⤵
  PID:3012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Documents and Settings" /grant Administrators:F
  2⤵
  PID:2628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache" /a
  2⤵
  PID:2944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users" /a
  2⤵
  PID:2668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users" /grant Administrators:F
  2⤵
  PID:2632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\cmd.exe" /grant Administrators:F
  2⤵
  PID:2372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /grant Administrators:F
  2⤵
  PID:1868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /a
  2⤵
  PID:1612
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\regedit.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /grant Administrators:F
  2⤵
  PID:2024
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\regedit.exe" /grant Administrators:F
  2⤵
  PID:2008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\reg.exe" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\reg.exe" /grant Administrators:F
  2⤵
  PID:1820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /a
  2⤵
  PID:2312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /grant Administrators:F
  2⤵
  PID:2356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:1888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /a
  2⤵
  PID:2068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /grant Administrators:F
  2⤵
  PID:772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskmgr.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:1528
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:1600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:3048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /a
  2⤵
  PID:2704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /grant Administrators:F
  2⤵
  PID:2760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\msconfig.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\msconfig.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /a
  2⤵
  PID:2896
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /grant Administrators:F
  2⤵
  PID:2640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:1104
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1532
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\utilman.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\utilman.exe" /grant Administrators:F
  2⤵
  PID:1824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /a
  2⤵
  PID:1688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /a
  2⤵
  PID:2840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /a
  2⤵
  PID:2156
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /a
  2⤵
  PID:1760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /grant Administrators:F
  2⤵
  PID:2256
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sethc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sethc.exe" /grant Administrators:F
  2⤵
  PID:2248
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /a
  2⤵
  PID:2480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /a
  2⤵
  - Modifies file permissions
  PID:1888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /grant Administrators:F
  2⤵
  PID:848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.exe" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /a
  2⤵
  PID:2212
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.exe" /grant Administrators:F
  2⤵
  PID:892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /grant Administrators:F
  2⤵
  PID:2340
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:1948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /a
  2⤵
  PID:2876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /grant Administrators:F
  2⤵
  PID:2748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.msc" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.msc" /grant Administrators:F
  2⤵
  PID:2912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /a
  2⤵
  PID:2672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /grant Administrators:F
  2⤵
  PID:1224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2152
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\resmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\resmon.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /a
  2⤵
  PID:2028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /grant Administrators:F
  2⤵
  PID:1072
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2136
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\logonui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /a
  2⤵
  PID:2508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\logonui.exe" /grant Administrators:F
  2⤵
  PID:2980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /grant Administrators:F
  2⤵
  PID:1148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /a
  2⤵
  PID:884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /grant Administrators:F
  2⤵
  PID:2464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /a
  2⤵
  - Modifies file permissions
  PID:596
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /a
  2⤵
  PID:308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskkill.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /grant Administrators:F
  2⤵
  PID:1888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskkill.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /a
  2⤵
  PID:2340
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /grant Administrators:F
  2⤵
  PID:1576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2772
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rundll32.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /grant Administrators:F
  2⤵
  PID:3000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rundll32.exe" /grant Administrators:F
  2⤵
  PID:2952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /a
  2⤵
  PID:2696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /grant Administrators:F
  2⤵
  PID:2176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /a
  2⤵
  PID:1892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /grant Administrators:F
  2⤵
  PID:1800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs" /a
  2⤵
  PID:2844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs" /grant Administrators:F
  2⤵
  PID:352
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rstrui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs\Admin" /a
  2⤵
  PID:1864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rstrui.exe" /grant Administrators:F
  2⤵
  PID:1980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs\Admin" /grant Administrators:F
  2⤵
  PID:1876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files" /grant Administrators:F
  2⤵
  PID:1648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sfc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sfc.exe" /grant Administrators:F
  2⤵
  PID:1808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip" /a
  2⤵
  PID:864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip" /grant Administrators:F
  2⤵
  PID:2064
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\winload.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\7z.exe" /a
  2⤵
  PID:2508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\winload.exe" /grant Administrators:F
  2⤵
  PID:1148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\7z.exe" /grant Administrators:F
  2⤵
  PID:612
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\Lang" /a
  2⤵
  PID:2328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\Lang" /grant Administrators:F
  2⤵
  PID:2296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files" /grant Administrators:F
  2⤵
  PID:592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared" /grant Administrators:F
  2⤵
  PID:1500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Filters" /a
  2⤵
  PID:1724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Filters" /grant Administrators:F
  2⤵
  PID:2300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\ntoskrnl.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink" /grant Administrators:F
  2⤵
  PID:2724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\ntoskrnl.exe" /grant Administrators:F
  2⤵
  PID:2700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /grant Administrators:F
  2⤵
  PID:2868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /grant Administrators:F
  2⤵
  PID:1484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\hal.dll" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\hal.dll" /grant Administrators:F
  2⤵
  PID:2944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /grant Administrators:F
  2⤵
  PID:1432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /grant Administrators:F
  2⤵
  PID:2268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /grant Administrators:F
  2⤵
  PID:2828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /grant Administrators:F
  2⤵
  PID:2012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /grant Administrators:F
  2⤵
  PID:3060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\servicing\trustedinstaller.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\servicing\trustedinstaller.exe" /grant Administrators:F
  2⤵
  PID:2220
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /grant Administrators:F
  2⤵
  PID:952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /grant Administrators:F
  2⤵
  PID:1980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /grant Administrators:F
  2⤵
  PID:2436
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /grant Administrators:F
  2⤵
  PID:904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\cmd.exe" /grant Administrators:F
  2⤵
  PID:1564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /grant Administrators:F
  2⤵
  PID:596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /grant Administrators:F
  2⤵
  PID:880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /grant Administrators:F
  2⤵
  PID:1596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1528
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\regedit.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /grant Administrators:F
  2⤵
  PID:328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\regedit.exe" /grant Administrators:F
  2⤵
  PID:2940
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /grant Administrators:F
  2⤵
  PID:2920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /grant Administrators:F
  2⤵
  PID:2512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /grant Administrators:F
  2⤵
  PID:2796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /grant Administrators:F
  2⤵
  PID:1224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\reg.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\reg.exe" /grant Administrators:F
  2⤵
  PID:1600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /grant Administrators:F
  2⤵
  PID:2544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /grant Administrators:F
  2⤵
  PID:1924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /grant Administrators:F
  2⤵
  PID:2008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /grant Administrators:F
  2⤵
  PID:2136
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskmgr.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:1864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /grant Administrators:F
  2⤵
  PID:2576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /grant Administrators:F
  2⤵
  PID:812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /grant Administrators:F
  2⤵
  PID:1788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /grant Administrators:F
  2⤵
  PID:1756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /grant Administrators:F
  2⤵
  PID:552
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\utilman.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\utilman.exe" /grant Administrators:F
  2⤵
  PID:1564
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /grant Administrators:F
  2⤵
  PID:1544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /grant Administrators:F
  2⤵
  PID:2200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /grant Administrators:F
  2⤵
  PID:1948
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /a
  2⤵
  PID:2752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /grant Administrators:F
  2⤵
  PID:2720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /a
  2⤵
  - Modifies file permissions
  PID:536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /grant Administrators:F
  2⤵
  PID:2912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.exe" /a
  2⤵
  PID:3012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /a
  2⤵
  PID:2940
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.exe" /grant Administrators:F
  2⤵
  PID:3056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /grant Administrators:F
  2⤵
  PID:1412
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /a
  2⤵
  - Modifies file permissions
  PID:1476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /grant Administrators:F
  2⤵
  PID:1484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /a
  2⤵
  PID:2640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /grant Administrators:F
  2⤵
  PID:1964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /a
  2⤵
  PID:1584
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /grant Administrators:F
  2⤵
  PID:292
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /a
  2⤵
  PID:2968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.msc" /a
  2⤵
  PID:2020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /grant Administrators:F
  2⤵
  PID:1072
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.msc" /grant Administrators:F
  2⤵
  PID:1300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /a
  2⤵
  PID:1732
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /grant Administrators:F
  2⤵
  PID:1720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /a
  2⤵
  PID:1692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /grant Administrators:F
  2⤵
  PID:2128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /a
  2⤵
  PID:1620
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /grant Administrators:F
  2⤵
  PID:2436
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /a
  2⤵
  PID:2036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /grant Administrators:F
  2⤵
  PID:1708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /a
  2⤵
  PID:988
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\resmon.exe" /a
  2⤵
  PID:1880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /grant Administrators:F
  2⤵
  PID:688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\resmon.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /a
  2⤵
  PID:2852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /grant Administrators:F
  2⤵
  PID:2260
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /a
  2⤵
  PID:1780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /grant Administrators:F
  2⤵
  PID:880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /a
  2⤵
  PID:2284
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /grant Administrators:F
  2⤵
  PID:2352
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /a
  2⤵
  PID:2936
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Administrators:F
  2⤵
  PID:2776
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sethc.exe" /a
  2⤵
  PID:2052
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /a
  2⤵
  PID:548
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sethc.exe" /grant Administrators:F
  2⤵
  PID:2772
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /a
  2⤵
  PID:1104
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /grant Administrators:F
  2⤵
  PID:2200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /a
  2⤵
  - Possible privilege escalation attempt
  PID:552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /grant Administrators:F
  2⤵
  PID:2868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /a
  2⤵
  - Modifies file permissions
  PID:3040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /a
  2⤵
  PID:2016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /grant Administrators:F
  2⤵
  PID:2820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskkill.exe" /a
  2⤵
  PID:1160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /a
  2⤵
  PID:2680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskkill.exe" /grant Administrators:F
  2⤵
  PID:292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /grant Administrators:F
  2⤵
  PID:2960
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /a
  2⤵
  PID:2840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /grant Administrators:F
  2⤵
  PID:2816
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /a
  2⤵
  PID:2956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /grant Administrators:F
  2⤵
  PID:1260
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /a
  2⤵
  PID:2332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /grant Administrators:F
  2⤵
  PID:2000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /a
  2⤵
  PID:1516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sfc.exe" /a
  2⤵
  PID:952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /grant Administrators:F
  2⤵
  PID:2276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sfc.exe" /grant Administrators:F
  2⤵
  PID:688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /a
  2⤵
  PID:2008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /grant Administrators:F
  2⤵
  PID:1820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Stationery" /a
  2⤵
  PID:2308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Stationery" /grant Administrators:F
  2⤵
  PID:1604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv" /a
  2⤵
  - Modifies file permissions
  PID:592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv" /grant Administrators:F
  2⤵
  PID:848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /a
  2⤵
  PID:1724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\rundll32.exe" /a
  2⤵
  PID:1528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\rundll32.exe" /grant Administrators:F
  2⤵
  PID:2316
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /grant Administrators:F
  2⤵
  PID:2116
- C:\windows\system32\vssadmin.exe
  "C:\windows\system32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /a
  2⤵
  PID:2904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /a
  2⤵
  PID:2796
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /grant Administrators:F
  2⤵
  PID:2084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /a
  2⤵
  PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /grant Administrators:F
  2⤵
  PID:596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /a
  2⤵
  PID:2512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /grant Administrators:F
  2⤵
  PID:1824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /a
  2⤵
  PID:3040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /grant Administrators:F
  2⤵
  PID:2192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit" /a
  2⤵
  PID:1084
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit" /grant Administrators:F
  2⤵
  PID:1964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /a
  2⤵
  PID:3060
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /grant Administrators:F
  2⤵
  PID:1440
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /a
  2⤵
  - Modifies file permissions
  PID:2176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /grant Administrators:F
  2⤵
  PID:2040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /a
  2⤵
  PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /grant Administrators:F
  2⤵
  PID:2220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /a
  2⤵
  PID:2816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /grant Administrators:F
  2⤵
  PID:1868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /grant Administrators:F
  2⤵
  PID:2508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /a
  2⤵
  PID:1864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /grant Administrators:F
  2⤵
  PID:2448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VC" /a
  2⤵
  PID:2136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VC" /grant Administrators:F
  2⤵
  PID:688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VGX" /a
  2⤵
  PID:852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VGX" /grant Administrators:F
  2⤵
  PID:904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO" /a
  2⤵
  PID:300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO" /grant Administrators:F
  2⤵
  PID:2500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /a
  2⤵
  PID:2552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /grant Administrators:F
  2⤵
  PID:912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Administrators:F
  2⤵
  PID:880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /grant Administrators:F
  2⤵
  PID:2764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Services" /a
  2⤵
  PID:2768
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Services" /grant Administrators:F
  2⤵
  PID:2164
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines" /a
  2⤵
  PID:1544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines" /grant Administrators:F
  2⤵
  PID:2268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft" /a
  2⤵
  PID:1532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft" /grant Administrators:F
  2⤵
  PID:2476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /a
  2⤵
  PID:2512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /grant Administrators:F
  2⤵
  PID:1892
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /a
  2⤵
  PID:2972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /grant Administrators:F
  2⤵
  PID:2016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /a
  2⤵
  PID:2440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /grant Administrators:F
  2⤵
  PID:2968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /a
  2⤵
  PID:1612
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /grant Administrators:F
  2⤵
  PID:2368
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /a
  2⤵
  PID:2228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /grant Administrators:F
  2⤵
  PID:1260
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /a
  2⤵
  PID:2372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /grant Administrators:F
  2⤵
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /a
  2⤵
  PID:2604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /grant Administrators:F
  2⤵
  PID:3060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /a
  2⤵
  PID:1708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /grant Administrators:F
  2⤵
  PID:2700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System" /a
  2⤵
  PID:1864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System" /grant Administrators:F
  2⤵
  PID:1300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado" /a
  2⤵
  PID:952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado" /grant Administrators:F
  2⤵
  PID:2044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\de-DE" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\de-DE" /grant Administrators:F
  2⤵
  PID:1968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\en-US" /a
  2⤵
  PID:2348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\en-US" /grant Administrators:F
  2⤵
  PID:2296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\es-ES" /a
  2⤵
  PID:688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\es-ES" /grant Administrators:F
  2⤵
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\fr-FR" /a
  2⤵
  PID:1668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\fr-FR" /grant Administrators:F
  2⤵
  PID:200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\it-IT" /a
  2⤵
  PID:232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\it-IT" /grant Administrators:F
  2⤵
  PID:3048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\ja-JP" /a
  2⤵
  PID:1336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\ja-JP" /grant Administrators:F
  2⤵
  PID:2900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\de-DE" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\de-DE" /grant Administrators:F
  2⤵
  PID:2252
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\en-US" /a
  2⤵
  PID:2940
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\en-US" /grant Administrators:F
  2⤵
  PID:2884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\es-ES" /a
  2⤵
  PID:2856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\es-ES" /grant Administrators:F
  2⤵
  PID:3000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\fr-FR" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\fr-FR" /grant Administrators:F
  2⤵
  PID:2060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\it-IT" /a
  2⤵
  PID:1964
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\it-IT" /grant Administrators:F
  2⤵
  PID:2020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ja-JP" /a
  2⤵
  PID:1328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ja-JP" /grant Administrators:F
  2⤵
  PID:1808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc" /a
  2⤵
  - Modifies file permissions
  PID:2440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc" /grant Administrators:F
  2⤵
  PID:2752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\de-DE" /a
  2⤵
  PID:1944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\de-DE" /grant Administrators:F
  2⤵
  PID:980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\en-US" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1260
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\en-US" /grant Administrators:F
  2⤵
  PID:1764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\es-ES" /a
  2⤵
  PID:1444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\es-ES" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\fr-FR" /a
  2⤵
  PID:2584
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\fr-FR" /grant Administrators:F
  2⤵
  PID:2128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\it-IT" /a
  2⤵
  PID:1708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\it-IT" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\ja-JP" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\ja-JP" /grant Administrators:F
  2⤵
  PID:884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB" /a
  2⤵
  - Possible privilege escalation attempt
  PID:772
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\de-DE" /a
  2⤵
  PID:2064
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\de-DE" /grant Administrators:F
  2⤵
  PID:808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\en-US" /a
  2⤵
  PID:904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\en-US" /grant Administrators:F
  2⤵
  PID:2340
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\es-ES" /a
  2⤵
  PID:2416
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\es-ES" /grant Administrators:F
  2⤵
  PID:2756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\fr-FR" /a
  2⤵
  PID:1668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\fr-FR" /grant Administrators:F
  2⤵
  PID:2872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\it-IT" /a
  2⤵
  PID:2412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\it-IT" /grant Administrators:F
  2⤵
  PID:2344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\ja-JP" /a
  2⤵
  PID:1724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\ja-JP" /grant Administrators:F
  2⤵
  PID:1728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker" /a
  2⤵
  PID:1960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker" /grant Administrators:F
  2⤵
  PID:3012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\DVDMaker.exe" /a
  2⤵
  PID:2868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\DVDMaker.exe" /grant Administrators:F
  2⤵
  PID:2144
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\de-DE" /a
  2⤵
  PID:1816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\de-DE" /grant Administrators:F
  2⤵
  PID:2952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\en-US" /a
  2⤵
  PID:2476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\en-US" /grant Administrators:F
  2⤵
  PID:2828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\es-ES" /a
  2⤵
  PID:2968
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\es-ES" /grant Administrators:F
  2⤵
  PID:2836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\fr-FR" /a
  2⤵
  PID:2956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\fr-FR" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\it-IT" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\it-IT" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\ja-JP" /a
  2⤵
  PID:1692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\ja-JP" /grant Administrators:F
  2⤵
  PID:876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared" /a
  2⤵
  PID:2332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared" /grant Administrators:F
  2⤵
  PID:2100
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles" /a
  2⤵
  PID:2852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles" /grant Administrators:F
  2⤵
  PID:952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /a
  2⤵
  PID:1088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /grant Administrators:F
  2⤵
  PID:1720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /a
  2⤵
  PID:2052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /grant Administrators:F
  2⤵
  PID:288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /a
  2⤵
  PID:592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /grant Administrators:F
  2⤵
  PID:912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /a
  2⤵
  PID:2348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /grant Administrators:F
  2⤵
  PID:2928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /a
  2⤵
  PID:220
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /grant Administrators:F
  2⤵
  PID:1048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /a
  2⤵
  PID:2728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /grant Administrators:F
  2⤵
  PID:2936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /a
  2⤵
  PID:2748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /grant Administrators:F
  2⤵
  PID:2124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /a
  2⤵
  PID:2744
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /grant Administrators:F
  2⤵
  PID:1960
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /a
  2⤵
  PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /grant Administrators:F
  2⤵
  PID:2796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /a
  2⤵
  PID:2008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /grant Administrators:F
  2⤵
  PID:3004
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /a
  2⤵
  PID:2708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /grant Administrators:F
  2⤵
  PID:2848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /a
  2⤵
  PID:1584
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /grant Administrators:F
  2⤵
  PID:2012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /a
  2⤵
  PID:2240
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /grant Administrators:F
  2⤵
  PID:2476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /a
  2⤵
  PID:1876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /grant Administrators:F
  2⤵
  PID:2188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /a
  2⤵
  PID:1160
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /grant Administrators:F
  2⤵
  PID:1980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /a
  2⤵
  PID:2216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /grant Administrators:F
  2⤵
  PID:2336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /a
  2⤵
  PID:2448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /grant Administrators:F
  2⤵
  PID:1768
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /a
  2⤵
  PID:1596
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /grant Administrators:F
  2⤵
  PID:980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /a
  2⤵
  PID:1708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /grant Administrators:F
  2⤵
  PID:348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /grant Administrators:F
  2⤵
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google" /a
  2⤵
  - Modifies file permissions
  PID:1300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google" /grant Administrators:F
  2⤵
  PID:1440
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome" /a
  2⤵
  PID:1260
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome" /grant Administrators:F
  2⤵
  PID:2500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application" /a
  2⤵
  PID:848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application" /grant Administrators:F
  2⤵
  PID:1504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\chrome.exe" /a
  2⤵
  PID:2948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" /grant Administrators:F
  2⤵
  PID:3048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /a
  2⤵
  PID:2412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /grant Administrators:F
  2⤵
  PID:2344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /a
  2⤵
  PID:1752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /grant Administrators:F
  2⤵
  PID:200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /a
  2⤵
  PID:1820
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /grant Administrators:F
  2⤵
  PID:2900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /a
  2⤵
  PID:1480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /grant Administrators:F
  2⤵
  PID:2792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /a
  2⤵
  PID:2544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /grant Administrators:F
  2⤵
  PID:2972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /a
  2⤵
  PID:1512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /a
  2⤵
  PID:2604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /grant Administrators:F
  2⤵
  PID:2036
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /a
  2⤵
  PID:2312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /grant Administrators:F
  2⤵
  PID:2028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /a
  2⤵
  PID:2216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /a
  2⤵
  PID:1968
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /grant Administrators:F
  2⤵
  PID:2016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /a
  2⤵
  PID:1516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /a
  2⤵
  PID:2332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /grant Administrators:F
  2⤵
  PID:288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\SetupMetrics" /a
  2⤵
  PID:2672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\SetupMetrics" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer" /a
  2⤵
  PID:2628
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer" /grant Administrators:F
  2⤵
  PID:2776
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\iediagcmd.exe" /a
  2⤵
  PID:2000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\iediagcmd.exe" /grant Administrators:F
  2⤵
  PID:1900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\de-DE" /a
  2⤵
  PID:892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\de-DE" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\en-US" /a
  2⤵
  PID:2788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\en-US" /grant Administrators:F
  2⤵
  PID:1728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\es-ES" /a
  2⤵
  PID:1688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\es-ES" /grant Administrators:F
  2⤵
  PID:228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\fr-FR" /a
  2⤵
  PID:2340
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\fr-FR" /grant Administrators:F
  2⤵
  PID:2796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\images" /a
  2⤵
  PID:2348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\images" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\it-IT" /a
  2⤵
  PID:2656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\it-IT" /grant Administrators:F
  2⤵
  PID:2944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ja-JP" /a
  2⤵
  PID:1484
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ja-JP" /grant Administrators:F
  2⤵
  PID:2120
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\SIGNUP" /a
  2⤵
  PID:1224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\SIGNUP" /grant Administrators:F
  2⤵
  PID:1984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java" /a
  2⤵
  PID:352
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80" /a
  2⤵
  PID:2204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80" /grant Administrators:F
  2⤵
  PID:2092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin" /a
  2⤵
  PID:2276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin" /grant Administrators:F
  2⤵
  PID:2244
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /a
  2⤵
  - Modifies file permissions
  PID:1160
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /grant Administrators:F
  2⤵
  PID:2060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db" /a
  2⤵
  PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\bin" /a
  2⤵
  PID:2036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\bin" /grant Administrators:F
  2⤵
  PID:2476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\lib" /a
  2⤵
  PID:1808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\lib" /grant Administrators:F
  2⤵
  PID:1088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include" /a
  2⤵
  PID:288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include" /grant Administrators:F
  2⤵
  PID:1880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32" /a
  2⤵
  PID:2520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32" /grant Administrators:F
  2⤵
  PID:2068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /a
  2⤵
  PID:224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /grant Administrators:F
  2⤵
  PID:2264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre" /a
  2⤵
  PID:1504
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /a
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /grant Administrators:F
  2⤵
  PID:1944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /a
  2⤵
  PID:1948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:2788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /a
  2⤵
  PID:3056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /grant Administrators:F
  2⤵
  PID:2344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /a
  2⤵
  PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /grant Administrators:F
  2⤵
  PID:592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /a
  2⤵
  PID:2720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /grant Administrators:F
  2⤵
  PID:2900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /a
  2⤵
  PID:2856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /grant Administrators:F
  2⤵
  PID:2340
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /a
  2⤵
  PID:2692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /grant Administrators:F
  2⤵
  PID:2828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /a
  2⤵
  PID:1648
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1892
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /a
  2⤵
  PID:2680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /grant Administrators:F
  2⤵
  PID:2804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /a
  2⤵
  PID:2176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /grant Administrators:F
  2⤵
  PID:2436
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /a
  2⤵
  PID:1444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /grant Administrators:F
  2⤵
  PID:652
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /a
  2⤵
  PID:2240
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /grant Administrators:F
  2⤵
  PID:2232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /a
  2⤵
  PID:1500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /grant Administrators:F
  2⤵
  PID:1160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /a
  2⤵
  PID:612
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /grant Administrators:F
  2⤵
  PID:2236
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /a
  2⤵
  PID:2504
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:2836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /a
  2⤵
  PID:2812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /grant Administrators:F
  2⤵
  PID:2464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /a
  2⤵
  PID:1528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /grant Administrators:F
  2⤵
  PID:2360
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /a
  2⤵
  PID:1900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /grant Administrators:F
  2⤵
  PID:1604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /a
  2⤵
  PID:2780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /a
  2⤵
  PID:2036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /grant Administrators:F
  2⤵
  PID:308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /a
  2⤵
  PID:2100
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /grant Administrators:F
  2⤵
  PID:2064
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /a
  2⤵
  PID:2300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /grant Administrators:F
  2⤵
  PID:300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /a
  2⤵
  PID:2788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /grant Administrators:F
  2⤵
  PID:2832
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /a
  2⤵
  PID:3004
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /grant Administrators:F
  2⤵
  PID:1668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /a
  2⤵
  PID:2576
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /grant Administrators:F
  2⤵
  PID:2720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /a
  2⤵
  PID:2656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /a
  2⤵
  PID:2972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /a
  2⤵
  PID:2724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /grant Administrators:F
  2⤵
  PID:2912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /a
  2⤵
  PID:352
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /grant Administrators:F
  2⤵
  PID:948
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /a
  2⤵
  PID:3068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /grant Administrators:F
  2⤵
  PID:2092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /a
  2⤵
  PID:1980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /a
  2⤵
  PID:1680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /grant Administrators:F
  2⤵
  PID:2232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /a
  2⤵
  - Possible privilege escalation attempt
  PID:900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /grant Administrators:F
  2⤵
  PID:1072
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /a
  2⤵
  PID:2312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /grant Administrators:F
  2⤵
  PID:2336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib" /a
  2⤵
  PID:1492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2364
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /a
  2⤵
  PID:1620
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /grant Administrators:F
  2⤵
  PID:2628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /a
  2⤵
  PID:2500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /grant Administrators:F
  2⤵
  PID:2264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /a
  2⤵
  - Modifies file permissions
  PID:2520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /grant Administrators:F
  2⤵
  PID:2028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /a
  2⤵
  PID:1880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /grant Administrators:F
  2⤵
  PID:1900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /a
  2⤵
  PID:2032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /grant Administrators:F
  2⤵
  PID:572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /a
  2⤵
  PID:2488
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /a
  2⤵
  PID:1328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /a
  2⤵
  PID:2404
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:1780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2744
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /a
  2⤵
  PID:2976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /a
  2⤵
  PID:3004
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:1884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /a
  2⤵
  PID:2544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2692
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /a
  2⤵
  PID:2020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /a
  2⤵
  PID:352
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2960
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /a
  2⤵
  PID:2260
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /grant Administrators:F
  2⤵
  PID:980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /a
  2⤵
  PID:2512
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /grant Administrators:F
  2⤵
  PID:2060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /a
  2⤵
  PID:2092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /grant Administrators:F
  2⤵
  PID:2096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /a
  2⤵
  PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:2968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /a
  2⤵
  PID:2240
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  PID:2052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:2212
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  PID:848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /a
  2⤵
  PID:1504
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:1492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /a
  2⤵
  PID:2520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:1300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /a
  2⤵
  PID:2368
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:2640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  PID:2552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:1476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  PID:208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:2940
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  PID:1328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:2416
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:1580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /a
  2⤵
  PID:300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /grant Administrators:F
  2⤵
  PID:808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /a
  2⤵
  PID:2828
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /grant Administrators:F
  2⤵
  PID:1824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /a
  2⤵
  PID:1924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /grant Administrators:F
  2⤵
  PID:1148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /a
  2⤵
  PID:2912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /grant Administrators:F
  2⤵
  PID:352
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /a
  2⤵
  PID:988
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /grant Administrators:F
  2⤵
  PID:2188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /a
  2⤵
  PID:2248
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /grant Administrators:F
  2⤵
  PID:2436
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /a
  2⤵
  PID:2276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /grant Administrators:F
  2⤵
  PID:1508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /a
  2⤵
  PID:2156
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /a
  2⤵
  PID:1816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /grant Administrators:F
  2⤵
  PID:2060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /a
  2⤵
  PID:2244
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /grant Administrators:F
  2⤵
  PID:1864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /a
  2⤵
  PID:2056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /grant Administrators:F
  2⤵
  PID:2352
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /a
  2⤵
  PID:1284
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /grant Administrators:F
  2⤵
  PID:1620
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /a
  2⤵
  PID:688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /grant Administrators:F
  2⤵
  PID:2836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /a
  2⤵
  PID:2236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /grant Administrators:F
  2⤵
  PID:232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /a
  2⤵
  PID:1952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /grant Administrators:F
  2⤵
  PID:2840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /a
  2⤵
  PID:2500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /grant Administrators:F
  2⤵
  PID:1688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /a
  2⤵
  - Modifies file permissions
  PID:1712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /grant Administrators:F
  2⤵
  PID:2648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /a
  2⤵
  PID:1728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /grant Administrators:F
  2⤵
  PID:2928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /a
  2⤵
  PID:3056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /grant Administrators:F
  2⤵
  PID:2644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /a
  2⤵
  PID:1760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /grant Administrators:F
  2⤵
  PID:2788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /a
  2⤵
  PID:1948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /grant Administrators:F
  2⤵
  PID:2544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /a
  2⤵
  PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /grant Administrators:F
  2⤵
  PID:1756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /a
  2⤵
  PID:2972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /a
  2⤵
  PID:1764
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /grant Administrators:F
  2⤵
  PID:1500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon" /a
  2⤵
  PID:808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon" /grant Administrators:F
  2⤵
  PID:1924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css" /a
  2⤵
  PID:3060
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs" /a
  2⤵
  PID:1692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs" /grant Administrators:F
  2⤵
  PID:2164
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html" /a
  2⤵
  PID:2752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html" /grant Administrators:F
  2⤵
  PID:2508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons" /a
  2⤵
  PID:1516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons" /grant Administrators:F
  2⤵
  PID:884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303" /a
  2⤵
  PID:2264
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:3008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons" /a
  2⤵
  PID:2448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons" /grant Administrators:F
  2⤵
  PID:1720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib" /a
  2⤵
  PID:2504
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib" /grant Administrators:F
  2⤵
  PID:1944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF" /a
  2⤵
  PID:612
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF" /grant Administrators:F
  2⤵
  PID:904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema" /a
  2⤵
  PID:1492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema" /grant Administrators:F
  2⤵
  PID:224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033" /a
  2⤵
  PID:2412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033" /grant Administrators:F
  2⤵
  PID:572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF" /a
  2⤵
  PID:2648
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF" /grant Administrators:F
  2⤵
  PID:2392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717" /a
  2⤵
  PID:208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717" /grant Administrators:F
  2⤵
  PID:2728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css" /a
  2⤵
  PID:2944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css" /grant Administrators:F
  2⤵
  PID:2008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark" /a
  2⤵
  PID:2644
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark" /grant Administrators:F
  2⤵
  PID:1204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images" /a
  2⤵
  PID:1648
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images" /grant Administrators:F
  2⤵
  PID:2816
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF" /a
  2⤵
  PID:1948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF" /grant Administrators:F
  2⤵
  PID:1868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm" /a
  2⤵
  PID:2012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm" /grant Administrators:F
  2⤵
  PID:1444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc" /a
  2⤵
  PID:1788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc" /grant Administrators:F
  2⤵
  PID:2280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform" /a
  2⤵
  PID:1500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform" /grant Administrators:F
  2⤵
  PID:2020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config" /a
  2⤵
  PID:2216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config" /grant Administrators:F
  2⤵
  PID:2116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps" /a
  2⤵
  PID:2604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps" /grant Administrators:F
  2⤵
  PID:2980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2968
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules" /grant Administrators:F
  2⤵
  PID:2060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core" /a
  2⤵
  PID:1872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core" /grant Administrators:F
  2⤵
  PID:1088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale" /a
  2⤵
  PID:348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2056
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib" /a
  2⤵
  PID:292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib" /grant Administrators:F
  2⤵
  PID:2364
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe" /grant Administrators:F
  2⤵
  PID:2448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale" /a
  2⤵
  - Modifies file permissions
  PID:1416
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale" /grant Administrators:F
  2⤵
  PID:952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules" /a
  2⤵
  PID:2064
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules" /grant Administrators:F
  2⤵
  PID:912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext" /a
  2⤵
  PID:2868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext" /grant Administrators:F
  2⤵
  PID:2500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale" /a
  2⤵
  PID:2416
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale" /grant Administrators:F
  2⤵
  PID:1492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale" /a
  2⤵
  PID:2928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking" /a
  2⤵
  PID:208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking" /grant Administrators:F
  2⤵
  PID:1580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler" /a
  2⤵
  PID:1668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler" /grant Administrators:F
  2⤵
  PID:1984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config" /a
  2⤵
  PID:2748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config" /grant Administrators:F
  2⤵
  PID:2844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules" /a
  2⤵
  PID:2724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib" /a
  2⤵
  PID:2804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib" /grant Administrators:F
  2⤵
  PID:200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed" /a
  2⤵
  PID:1868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed" /grant Administrators:F
  2⤵
  PID:3056
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15" /a
  2⤵
  PID:1680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64" /a
  2⤵
  PID:1072
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64" /grant Administrators:F
  2⤵
  PID:3060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16" /a
  2⤵
  PID:2956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16" /grant Administrators:F
  2⤵
  PID:2216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64" /a
  2⤵
  - Modifies file permissions
  PID:1892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64" /grant Administrators:F
  2⤵
  PID:1888
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale" /a
  2⤵
  PID:2776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale" /grant Administrators:F
  2⤵
  PID:2476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2264
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules" /grant Administrators:F
  2⤵
  PID:708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale" /a
  2⤵
  PID:1088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale" /grant Administrators:F
  2⤵
  PID:348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking" /a
  2⤵
  PID:2316
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking" /grant Administrators:F
  2⤵
  PID:308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm" /a
  2⤵
  PID:1944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm" /grant Administrators:F
  2⤵
  PID:1504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config" /a
  2⤵
  PID:880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config" /grant Administrators:F
  2⤵
  PID:2988
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules" /a
  2⤵
  PID:1752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules" /grant Administrators:F
  2⤵
  PID:2016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core" /a
  2⤵
  PID:2444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core" /grant Administrators:F
  2⤵
  PID:2404
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale" /a
  2⤵
  PID:2952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale" /grant Administrators:F
  2⤵
  PID:2416
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules" /a
  2⤵
  PID:2488
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules" /grant Administrators:F
  2⤵
  PID:2944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale" /a
  2⤵
  PID:1572
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale" /grant Administrators:F
  2⤵
  PID:2884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking" /a
  2⤵
  PID:2832
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking" /grant Administrators:F
  2⤵
  PID:1920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7" /a
  2⤵
  PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7" /grant Administrators:F
  2⤵
  PID:2592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin" /a
  2⤵
  PID:772
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin" /grant Administrators:F
  2⤵
  PID:1148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\jabswitch.exe" /a
  2⤵
  - Modifies file permissions
  PID:1204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:3056
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\dtplugin" /a
  2⤵
  PID:2044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\dtplugin" /grant Administrators:F
  2⤵
  PID:900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\plugin2" /a
  2⤵
  PID:2680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\plugin2" /grant Administrators:F
  2⤵
  PID:1680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\server" /a
  2⤵
  PID:1876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\server" /grant Administrators:F
  2⤵
  PID:1764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib" /a
  2⤵
  - Modifies file permissions
  PID:1448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib" /grant Administrators:F
  2⤵
  PID:1816
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\amd64" /a
  2⤵
  PID:1224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\amd64" /grant Administrators:F
  2⤵
  PID:2244
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\applet" /a
  2⤵
  PID:288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\applet" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\cmm" /a
  2⤵
  PID:2060
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\cmm" /grant Administrators:F
  2⤵
  PID:2764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\deploy" /a
  2⤵
  PID:216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\deploy" /grant Administrators:F
  2⤵
  PID:2316
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\ext" /a
  2⤵
  - Modifies file permissions
  PID:2812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\ext" /grant Administrators:F
  2⤵
  PID:2780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\fonts" /a
  2⤵
  PID:2640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\fonts" /grant Administrators:F
  2⤵
  PID:1048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\images" /a
  2⤵
  PID:2936
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\images" /grant Administrators:F
  2⤵
  PID:840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\images\cursors" /a
  2⤵
  PID:2552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:2444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\jfr" /a
  2⤵
  PID:2928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\jfr" /grant Administrators:F
  2⤵
  PID:2500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\management" /a
  2⤵
  PID:2788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\management" /grant Administrators:F
  2⤵
  PID:2712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\security" /a
  2⤵
  - Modifies file permissions
  PID:892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\security" /grant Administrators:F
  2⤵
  PID:208
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi" /a
  2⤵
  PID:1084
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi" /grant Administrators:F
  2⤵
  PID:1800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Africa" /a
  2⤵
  PID:652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Africa" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2132
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America" /a
  2⤵
  PID:2912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America" /grant Administrators:F
  2⤵
  PID:988
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Argentina" /a
  2⤵
  PID:1788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Argentina" /grant Administrators:F
  2⤵
  PID:2348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Indiana" /a
  2⤵
  PID:2440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Indiana" /grant Administrators:F
  2⤵
  PID:2312
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Kentucky" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Kentucky" /grant Administrators:F
  2⤵
  PID:2020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota" /a
  2⤵
  PID:2216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota" /grant Administrators:F
  2⤵
  PID:2680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Antarctica" /a
  2⤵
  PID:1508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Antarctica" /grant Administrators:F
  2⤵
  PID:2508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Asia" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Asia" /grant Administrators:F
  2⤵
  PID:2948
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Atlantic" /a
  2⤵
  PID:1556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Atlantic" /grant Administrators:F
  2⤵
  PID:1672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Australia" /a
  2⤵
  PID:2364
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Australia" /grant Administrators:F
  2⤵
  PID:2764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Etc" /a
  2⤵
  PID:3008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Etc" /grant Administrators:F
  2⤵
  PID:2672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Europe" /a
  2⤵
  PID:232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Europe" /grant Administrators:F
  2⤵
  PID:2028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Indian" /a
  2⤵
  PID:768
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Indian" /grant Administrators:F
  2⤵
  PID:612
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Pacific" /a
  2⤵
  PID:1048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Pacific" /grant Administrators:F
  2⤵
  PID:1688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\SystemV" /a
  2⤵
  PID:1752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\SystemV" /grant Administrators:F
  2⤵
  PID:596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games" /a
  2⤵
  PID:344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games" /grant Administrators:F
  2⤵
  PID:1492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess" /a
  2⤵
  PID:2008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess" /grant Administrators:F
  2⤵
  PID:1328
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\Chess.exe" /a
  2⤵
  PID:1760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\Chess.exe" /grant Administrators:F
  2⤵
  PID:2656
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\de-DE" /a
  2⤵
  PID:1596
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\de-DE" /grant Administrators:F
  2⤵
  PID:2844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\en-US" /a
  2⤵
  PID:352
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\en-US" /grant Administrators:F
  2⤵
  PID:808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\es-ES" /a
  2⤵
  PID:3040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\es-ES" /grant Administrators:F
  2⤵
  PID:2436
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\fr-FR" /a
  2⤵
  - Modifies file permissions
  PID:2912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\fr-FR" /grant Administrators:F
  2⤵
  PID:2708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\it-IT" /a
  2⤵
  PID:2172
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\it-IT" /grant Administrators:F
  2⤵
  PID:2096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\ja-JP" /a
  2⤵
  PID:2644
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\ja-JP" /grant Administrators:F
  2⤵
  PID:1500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell" /a
  2⤵
  - Modifies file permissions
  PID:1980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell" /grant Administrators:F
  2⤵
  PID:2452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe" /a
  2⤵
  PID:1620
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe" /grant Administrators:F
  2⤵
  PID:1440
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\de-DE" /a
  2⤵
  PID:1224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\de-DE" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\en-US" /a
  2⤵
  PID:1604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\en-US" /grant Administrators:F
  2⤵
  PID:216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\es-ES" /a
  2⤵
  PID:2984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\es-ES" /grant Administrators:F
  2⤵
  PID:232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\fr-FR" /a
  2⤵
  PID:292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\fr-FR" /grant Administrators:F
  2⤵
  PID:2448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\it-IT" /a
  2⤵
  - Modifies file permissions
  PID:2100
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\it-IT" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\ja-JP" /a
  2⤵
  - Modifies file permissions
  PID:2064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "58305248620340180412508004121306235686316537015186911331717197788881361595021"
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "35404243219432640908107801539210214411932370757-2049321006962593028-1499490725"
1⤵
PID:1864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "123176399617834335352036864667-6981855961468622784811069208-252518371-1979762256"
1⤵
PID:688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-138211935598218530657821210-1710981760-6948579207482229841019530287-832937170"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16537217633183341701474848942-1863878921039234123-409569292-262514907-770904225"
1⤵
PID:2044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "588422691173826918-23140333-10878353111472538806-1753243169771771383326943005"
1⤵
PID:812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1777424479-406153149763852497-1285395935-2478592912641062451212892489-539713518"
1⤵
PID:772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "738846435-405200742299265101810033429187154985-99763313913514374571670842353"
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "441401601863054086-2553154156581685641428870621-99246912-343342974458247158"
1⤵
PID:808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "499090770763834899-1096770962048380815-8036329111237091832-958129820532326365"
1⤵
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-733605214149722631640848781917029735748594984-762886299-11047378721760000371"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-542546829-947523923-1260834415-132587521890420010-17638391632139344905-1581878336"
1⤵
PID:2872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "731264823196970506134316637661853630-1488264014-140316087045729770-922459680"
1⤵
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1381982053-21105613201539140010958576221249350682-1028679356741194933789831225"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16254101544583549-1942247755561217475-174996264891053230-1224119494-930961872"
1⤵
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1527338125-1474892226997783174836292430135275026-1679855062-1424236686-838591435"
1⤵
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1053213385-2416936491318433852-21017756241043830749-103540137317979639371070612695"
1⤵
PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-214128247418656503535104945991510287315451673559-260989846-1597189915910635527"
1⤵
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-917508649191772379017588949321750362220-1728495961-10242079912027709676-1229699887"
1⤵
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6291257-1958898570176065871514328289011005343788-681529681-213519449400053476"
1⤵
PID:228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2090937068-62914071765764218-499332716-10607148615039168979827787662019063029"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1085114119-1375016860-1661177687-5383027331144245910-15460961881129624915-1569483956"
1⤵
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1830063404456674501515308991-461288456-5640285681891659460251201-1273850450"
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-568957713-887778550-1147342306-1103724389128543731-1611212439734657077-24943318"
1⤵
PID:1816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "302269359409836566-1379789243524626683-1149454630-21343864431202177722-693476451"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1048167076-353905359-2041044138-1692351402-534308741-1101102452-285930117-784205752"
1⤵
PID:1260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12293616121271670882-1019348480-1335140257785123896123941077093838-567628088"
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3610035591342079155-55451940965236746-1267362054-302457420683582655-1599444825"
1⤵
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1079501866346169626543710792-1691950854-1316666297648059230-2031635273-121588376"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9006460834494255131686573488445555170-1995575379-1546129614200557955993598185"
1⤵
PID:592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11589359-1936302129-935704530-14957898672106578993-1740559783355995177-248689956"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "137006179791718012713690768032083420781-1055328944628441941-6732418541960101175"
1⤵
PID:1160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18812354541277776578-611891583-1418609750-99358572218460410961684247915-606130794"
1⤵
PID:1876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "964340599-1421016083-1677655572-2480750801653909421262339428-902519600-653705361"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1546276458353818593-1093042758435885694-322135872-1558479428-1053842103-184370011"
1⤵
PID:952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1623394282-493263257-149827142818792177831937101482536435488-835773699-1236888545"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1058746366420616717-401643578-646589889497146131-11973913591140779093-303384403"
1⤵
PID:1048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1796424263-5969634361007110536-1179752607-8484549132581531931793400967-954474738"
1⤵
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "158531882113296344451263160845-1730079975-1124536894-1263299930-993485621-1730919882"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1745488529-8499105991666882145993463954-1812574904-14035259548876407851688987840"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21449452-163601421118822618241317324801726462154166665849-1514420830-2038504999"
1⤵
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-628475115-1141829797-718873763-109671320865604577617569853432641140091318895950"
1⤵
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1518818640887835311-369639752-16654072-4529171882056769781388485371436563569"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11254473791934551821-4058421991539005204-1904847612-6757337814675364151751974105"
1⤵
PID:220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-675823975-144775081519529160851552418011515460890-8032079631283036596511635780"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18586492941174948930-518147704-1887925995-24997139518388040162024460634-308687850"
1⤵
PID:3004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12644500011054379417-20612722871041643559-368832096962317004-1281939562-15471802"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "267429096-1316813276-1500135999-14843423981009484901130910441556242752917455056"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "722751301971950106-1767589639-1982259716-1383809049526660519147587101757956730"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8180619572437858821954405607-795232796-57155233019040459617097950182108826028"
1⤵
PID:948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10391335478989425-1994381011924699224254508981337583269-774344995-1143955288"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "854665620-1502992432-664429148-8719550652906316136424766251269138357382094738"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1268988323-1569841036-132984779712372919631028391611-1416464071383360219-950113894"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20420208481008262268-1808501321-118394600912605047341094627223-6212458932125828503"
1⤵
PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2009416548-1576567061-201272931-20784820891800489235698309468445267820-501303824"
1⤵
PID:1484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2047518871-1161805161219514054548560662181087087413538936001391152754729847357"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-35273842-1810608191907379104-50710710515763590631304356858-598066266934745768"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "53976698806074857972533148236392548125406272118371642861389538870-1313347055"
1⤵
PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1628246723-14392049881682887872805587291-1270523967-459303915964151861511996203"
1⤵
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1091792740-906586188-1921138117460498432883711256-875962836-1060510241-381353168"
1⤵
PID:848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "77941747710595481551773038743951510512080872610223065261639972094-788438165"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "684973928192040019220507557511259645824377556275-1792079884322875411368268747"
1⤵
PID:1924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17397546616649578401018105109-1564444268001181642049458512652907591408815951"
1⤵
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-96461699-1091142218-116405723365999959314182379-1606234082848385729-406935916"
1⤵
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1731929713-1084875986-1961176496801432524-1644608558-115317133-1663415061-1889600168"
1⤵
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17924253014680977261489678963-1503586411-770376684-482395611911816340-256496593"
1⤵
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16662390681456990817-1876739130508111309-104140394330752821011809522052003458813"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1833679383990005663-165810491-1262886921-397108883-2043098014688726758-1875636972"
1⤵
PID:2204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1893797241-1427464608-1415502901155128121710479614671178826892821552291092201261"
1⤵
PID:1864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12345562517854303091716614585-8711645311079053255156836469311435829281946532539"
1⤵
PID:2260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1212911997-169567572-902072544948690662-1198926478801444784-972761112-591866231"
1⤵
PID:2332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2055232184693410840-1363535258-940046530-12655304431727154689-2099078436-833399626"
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-512651426701936741196667429-14077716252375553491705404084535979709-2117903014"
1⤵
PID:1808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1515861973-5198381721098199570-2095163140258204068-1956732547-1781855190-1386146899"
1⤵
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1897388221845072025-2126337529-89153563173870891264955681693609113328326535"
1⤵
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7432755281963368418-887583266132824142252460128-452438127-1516053940-225264434"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "145475943392350126318167186251797868161-320349837-106138299-20514271951783707673"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4896178521167601659-1122806314-9634702461832749701-832461155854236901-643237928"
1⤵
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15830976822067786480-1193437947-1920125462-1815393095-428820125-1093430273-1570576334"
1⤵
PID:1444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-406077875876666503-1555684276384802302145902827819852352541338662592-2040816368"
1⤵
PID:2268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "52294996-829095792-8921283001683373569203004525513225143533252228351336222824"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1730742181456313524810203776-1484217370145881764-721639671-12767964581081861109"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-193509252347298132181010999149713971-2035829883-13421417262110356910-2126969896"
1⤵
PID:1284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "363578879-537001344-465544506-1457686763-8789448811848154237-1555771925-215342232"
1⤵
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "713185070-1646740653-60443361-2043673290-1083005914-11389838621163698350685893496"
1⤵
PID:2776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-71467335274943983-8182267346989279804602297182100681715272481103-74133158"
1⤵
PID:308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-79019873232652077186492995-123065964698784615-1990468916-1801775500-1788652681"
1⤵
PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-125339319915886731312118074913-428727320-1701887170-312447183-8799065691255920854"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1127424576-1106365378133758964120812416671523503223-1257437202-8449381011308695795"
1⤵
PID:224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3616215871301624660-1676475309-1602388675-6727095701061904810-1136344705351733897"
1⤵
PID:1432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-50977644165721585-1241811956-1148896306636897889920409781399008660586561496"
1⤵
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "237362353-98904831216287670952072611546-7894710181255163705-1782517382503325192"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "65631583019295748282081394819275400762-230369106-931389366-2144911162-1949630637"
1⤵
PID:708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-631825726-117882518617392512061924930603-2979171984932192581091235810-982556074"
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.exe

Filesize
1.8MB

MD5
dcd79990fc2e2a8dd61ae665a8392549

SHA1
24a5dc302208e0a353b6846f930fab1707b7a911

SHA256
8b35d0657fb8dcc524bfb8b05e9519f0e3c6958b4960eaa634bde829718648b7

SHA512
1b2d1f44ed894c863416b4b076c239f8ab5ca1562664e0b565113222803706eb3136d6afa1e176150de405c4ca441b403926f74fa7a981768c25f1a442953b45

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
4f21f2bade14cbc3339fcab1c65775bc

SHA1
31b7af511aabe81a43758989d5cbf667cb17db60

SHA256
375dd0cf364b0ce76cc0b9807bbea7cfeadd74bce5ed497db52109e57ea58dac

SHA512
746de39d9c8d3e45351bce7d652642ae30073bde9c466f3c4751936e26918678f4f4e3db4656c95870ed0df7ca631ab7918f270999446df01a21595066091262

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RCXD107.tmp

Filesize
360KB

MD5
218e18002822b9a3f9fbb5b609f24a03

SHA1
b50a0f3a9d2faf51278081a35f131035ad3860b6

SHA256
e33aecf0678644129fd44a7711a50ca3e648bd92d2a2d9559145f2d3207e5f4e

SHA512
e619f4a104def71c06e52a2a0b8a23dfddafec3cf7d7205217c38fc3a1d474aa8f7e0dc398d6b9b19a6eb272a092d3ae164e4fe763630994b90425ff6fa5480d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
ffa4d2583138cf6f98302a151c193bd6

SHA1
abf91d660ab5abf074c9114eaa4cfd01e6926436

SHA256
155341745df74c1a0d311ffe505989f7eaaf4d37c820a29389ecb9c409b261ed

SHA512
95e2ecd7abc486954bdfdc0f22fc6215e55ec279da9ae8cf700e9acce8b4b76c55d81fb84de6e9cd95ee904c6a1bd0a62380a4f4bacfc6c2bf07a0c48bdea5ef

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\msvcp120ex.dll

Filesize
8.0MB

MD5
14f3afaa26f3271828166fd0845122f9

SHA1
740cde74f832d08cb3d992e99cebcdc43579a54c

SHA256
47ee0b23d725b22e1fc3226ecba34d808abb832948fda98399ec8c1729435d90

SHA512
009af95824043e3aa2eaa3c49656595fde2be9b3b8ba3c77567dc59734792cae9996297f366d848aaebbd7b0bb951339554c984a996fb10b845f8f93fa45fce1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
89770e66768d9c2ad1c50732c7fbc98c

SHA1
d3ff67c3a366f7b2a70de02f36197bd59022ea98

SHA256
62c01a8e08dc0d10d8c15828e66e41b86848ea2f346a569fefbaa84a37700269

SHA512
aec6c70ae6b33cb8356aed37fe8844ab9f18f26c6f5d04359ec016c4889a764c6c2b1f1036b3245b4065fcd76261eb7cc43c99b31d1308e1e83b939efaf370ee

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
b6469f4fbaed93438a44e1ce3fccb940

SHA1
e853019c115f08addd09177ca1fbe62fcb523b2f

SHA256
b79ba4a40f737c497b0ced2bdcd8325d9218bc134ae0e3d1829d89f31099438d

SHA512
bcaaa82bc5f86b7766296c2b1fa349b877e2f75bbf7525896e8e3135ba7b0b6e206d8aaead1427071e4bf3d6a19f6222d066b208b8456da4df626c33c8134c4b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\275115316

Filesize
878KB

MD5
12543700f98dfc76cbc771220d732c09

SHA1
721598c722231be1686e494c2b0dd169a03003ec

SHA256
471cf135f7a452d3db084c72877fc5143a74d6bd4959b63ddab5c42412fcb5e2

SHA512
8cdae6535d7332cea1c63994dd9f7bf9b74b3d4594c5e759830616cb089b66e5aed06212dfbd9a6beb8710e74cfc2f815c5721aa770dd3182bdb0818a698f7dd

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
ffbbee3b18a9caec338fed47896291e4

SHA1
6f1ff3b8ee795f18165a2e7fc144e5f1064da5eb

SHA256
5646806b9ac69843d1413a2ba1beb59be2235c08e1cfa0b48610851d2e5b0230

SHA512
f2c133d15bd811eb909984fdde5dcc49f29409748abcb95603c51f6595b0846826351e5f5041a206645d0ffbcbdd068e138cf42278f9cdfb0e9ac2b3a58d1eb2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\msvcp120ex.dll

Filesize
8.0MB

MD5
edb6014ea2caf1608ed18109b90d000e

SHA1
05bfcd6d2db528adda1dd983a83051196e04870c

SHA256
230d83b9fe9ba26489c56891f8bc6cc1420314264fd023df1a49160869c600a6

SHA512
f18fe7f182a25adeba7f2fee76012ce1695eb6185d26e8a962296eb7fd1afe61d814e0f3c3fbc5805b1fb3a2243def41b2ba70f5f0604e2e6157537da8dcb757

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\msvcp120ex.dll

Filesize
8.0MB

MD5
3cc5e7cd91b24614380dc8c824342c07

SHA1
832c02c7addf73333dd2daf3404a504ac63b29e8

SHA256
91fa9d0f8c8e53cef826288be3e2bae6c5c0acfd1b4bd51668cc5f09da30fbb7

SHA512
03b39d1e8949345481d36f61fbc229266ab0e4cd963aab5244c43252fc259b8337352d4ac72eca82e6f2c6ae947a43fdf8725672d3a44b2f682d4eae5545a3fe

Download Submit
C:\Program Files\Microsoft Games\FreeCell\RCX42AF.tmp

Filesize
52KB

MD5
f7218964305a419e22a7f4fbfae09b21

SHA1
aa08097181905e9d33d410ef625b5680250a7bae

SHA256
b27d48714919a5dd1434956a49998b29a0142aeea768ca830af6a62bba1701f5

SHA512
534d14bfd9e12e4980d376913e49421f4d59c2c5ba2830ec9dbc4a120d088df4616a0be57b625b34560fb2a89bcc7380ab9b7f0f7f45a992626a047306e1a623

Download Submit
C:\Program Files\Microsoft Games\Purble Place\841571062

Filesize
1.3MB

MD5
e35436adc4df6661d4217c3861969c21

SHA1
142fd4139560237485f87e44d0bc0e2d4edbaa93

SHA256
b736596cebed594caf606ad0636bda45bbcf8e47318f9ad07a32d79c1a26bff3

SHA512
33053ea7197f7efb9579a065215c0e0d7a1f8dee0eaad3a4be1970b8c88eccb463abefa118779b2697aae05d6165e32eb76a88c64efc300b5309ce9d6e9bd319

Download Submit
C:\Users\Admin\AppData\Local\Temp\361569220

Filesize
307KB

MD5
f1a9b4b1f750bb90b7240f38aa3fd939

SHA1
4d630bd6b89f4ba0315ed37035d5e32775a7b969

SHA256
7cc9be747a138d8b9e716ee5f16188215b730af91d9fe954d8e172f515f5b498

SHA512
e4d6eea0e415d27f39224af29cef84bd55fb098b06c7aaee38d6eac34621ca3585bbae0d2fc2938bbe5755fd6d3bbbf47f9c4bc29a6e6914f761c1c76e4a107f

Download Submit
C:\Windows\System32\msconfig.exe

Filesize
57KB

MD5
cf45949cdbb39c953331cdcb9cec20f8

SHA1
6756f752141602424af234433dadedc12520165d

SHA256
34df739526c114bb89470b3b650946cbf7335cb4a2206489534fb05c1fc143a8

SHA512
b699b406bb4df8c6fb6339219ab1feaa5c7b2c39082d3761689e9b5326e52861bb8e2770d683838b05e649ff2022f413dc1e3f7e605a03077190f8950f9442be

Download Submit
memory/2108-330-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2108-335-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2108-401-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2108-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-1-0x00000000012D0000-0x0000000001AE2000-memory.dmp

Filesize
8.1MB

Download