Resubmissions
28/03/2025, 14:59
250328-sc4wsazjx2 1028/03/2025, 14:53
250328-r9rr2sxwbz 1027/03/2025, 13:35
250327-qvr9laswew 10Analysis
-
max time kernel
36s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 14:59
Static task
static1
Behavioral task
behavioral1
Sample
JKT48.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JKT48.exe
Resource
win10v2004-20250314-en
General
-
Target
JKT48.exe
-
Size
8.0MB
-
MD5
41f5bac802f5e79dc2ca7a3db25d0001
-
SHA1
ce56c42cadd2db13edf03c15ce3b11c2cfa00f9e
-
SHA256
9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d
-
SHA512
94705e83ce1b104954be07210ea3648c7403a6dd86ebaf6e884ced1552636b6a05a3b2926415d6c49ff251a675815435e4b2a3c8f816bbbf68c08c3299db99ab
-
SSDEEP
196608:PF35AX/ip4e/aS3e+gr80KILDjhoOX9oeqZ8r8swzH0e:d3KX/o4eSTr80xHhJ8s63
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" JKT48.exe -
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JKT48.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JKT48.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 32 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe\Debugger = "*/" JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe JKT48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs" JKT48.exe -
Possible privilege escalation attempt 64 IoCs
pid Process 1960 Process not Found 2720 Process not Found 1044 Process not Found 3004 Process not Found 2844 takeown.exe 2104 icacls.exe 1272 icacls.exe 3040 Process not Found 1764 Process not Found 1072 icacls.exe 1736 takeown.exe 2668 icacls.exe 920 Process not Found 1684 icacls.exe 2848 takeown.exe 2604 icacls.exe 2972 takeown.exe 2400 icacls.exe 204 takeown.exe 628 takeown.exe 2276 takeown.exe 976 Process not Found 2784 Process not Found 852 icacls.exe 2188 icacls.exe 972 Process not Found 320 Process not Found 852 Process not Found 1516 icacls.exe 1516 Process not Found 576 Process not Found 1388 Process not Found 2124 Process not Found 2180 takeown.exe 936 takeown.exe 2444 Process not Found 1032 Process not Found 2804 Process not Found 972 Process not Found 1008 takeown.exe 1048 Process not Found 1768 Process not Found 852 icacls.exe 1952 Process not Found 576 Process not Found 2524 Process not Found 2200 Process not Found 1348 icacls.exe 2876 takeown.exe 216 Process not Found 888 Process not Found 1332 takeown.exe 2344 icacls.exe 2344 icacls.exe 280 icacls.exe 2856 Process not Found 608 Process not Found 1308 icacls.exe 2688 takeown.exe 1252 icacls.exe 2156 Process not Found 2916 Process not Found 2288 Process not Found 2564 icacls.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 2964 takeown.exe 2460 takeown.exe 2580 icacls.exe 1080 Process not Found 1816 Process not Found 2880 Process not Found 2444 icacls.exe 2788 takeown.exe 1636 takeown.exe 2056 Process not Found 2824 Process not Found 2276 Process not Found 2232 Process not Found 2876 Process not Found 1540 Process not Found 1296 Process not Found 576 Process not Found 1752 Process not Found 1852 Process not Found 604 Process not Found 2524 Process not Found 2044 Process not Found 1960 Process not Found 1136 Process not Found 1276 Process not Found 576 Process not Found 2680 Process not Found 1520 takeown.exe 2736 Process not Found 3040 Process not Found 1708 Process not Found 2756 Process not Found 2292 Process not Found 1860 Process not Found 2928 takeown.exe 1600 Process not Found 324 Process not Found 2848 takeown.exe 1124 Process not Found 584 Process not Found 1708 Process not Found 1188 Process not Found 628 Process not Found 1912 Process not Found 1124 takeown.exe 1748 Process not Found 2372 takeown.exe 3040 icacls.exe 2372 takeown.exe 2308 takeown.exe 1908 Process not Found 2008 Process not Found 1708 Process not Found 2528 Process not Found 2056 takeown.exe 576 Process not Found 1632 Process not Found 2740 Process not Found 2280 Process not Found 2092 icacls.exe 2044 takeown.exe 340 takeown.exe 1284 icacls.exe 1124 Process not Found -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JKT48.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File created C:\windows\system32\msconfig.exe JKT48.exe File created C:\windows\system32\resmon.exe JKT48.exe File created C:\windows\system32\logonui.exe JKT48.exe File created C:\windows\system32\rundll32.exe JKT48.exe File created C:\windows\system32\winload.exe JKT48.exe File created C:\windows\syswow64\sfc.exe JKT48.exe File created C:\windows\system32\reg.exe JKT48.exe File created C:\windows\system32\utilman.exe JKT48.exe File created C:\windows\system32\taskkill.exe JKT48.exe File created C:\windows\system32\ntoskrnl.exe JKT48.exe File created C:\windows\syswow64\cmd.exe JKT48.exe File created C:\windows\system32\perfmon.msc JKT48.exe File created C:\windows\syswow64\utilman.exe JKT48.exe File created C:\windows\system32\sfc.exe JKT48.exe File created C:\windows\syswow64\regedit.exe JKT48.exe File created C:\windows\syswow64\taskmgr.exe JKT48.exe File created C:\windows\syswow64\perfmon.exe JKT48.exe File created C:\windows\syswow64\perfmon.msc JKT48.exe File created C:\windows\syswow64\taskkill.exe JKT48.exe File created C:\windows\system32\taskmgr.exe JKT48.exe File created C:\windows\system32\rstrui.exe JKT48.exe File created C:\windows\syswow64\rundll32.exe JKT48.exe File created C:\windows\syswow64\reg.exe JKT48.exe File created C:\windows\syswow64\sethc.exe JKT48.exe File created C:\windows\system32\cmd.exe JKT48.exe File created C:\windows\system32\sethc.exe JKT48.exe File created C:\windows\system32\perfmon.exe JKT48.exe File created C:\windows\system32\hal.dll JKT48.exe File created C:\windows\syswow64\resmon.exe JKT48.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\Application\msvcp120ex.dll JKT48.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\RCXF012.tmp JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\991912613 JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXF11E.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\RCX1F61.tmp JKT48.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\798813612 JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\RCX208B.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Chess\RCX1527.tmp JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\118706439 JKT48.exe File created C:\Program Files\Internet Explorer\msvcp120ex.dll JKT48.exe File created C:\Program Files\Microsoft Games\FreeCell\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Office\Office14\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\RCX1F60.tmp JKT48.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCXD76F.tmp JKT48.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\msvcp120ex.dll JKT48.exe File created C:\Program Files\Microsoft Games\Mahjong\701141344 JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\RCX232E.tmp JKT48.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\RCX1A3D.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\RCX1E08.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\397043303 JKT48.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\479586257 JKT48.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\RCXF239.tmp JKT48.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\msvcp120ex.dll JKT48.exe File created C:\Program Files\Microsoft Games\Purble Place\msvcp120ex.dll JKT48.exe File created C:\Program Files\Google\Chrome\Application\991912613 JKT48.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\RCX1A3C.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\msvcp120ex.dll JKT48.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\RCX18B5.tmp JKT48.exe File created C:\Program Files\Microsoft Games\Solitaire\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\msvcp120ex.dll JKT48.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\53704421 JKT48.exe File created C:\Program Files\Microsoft Games\Hearts\251091652 JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\RCX1DF7.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\msvcp120ex.dll JKT48.exe File created C:\Program Files\7-Zip\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\RCXF023.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\RCX173C.tmp JKT48.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\809631780 JKT48.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\msvcp120ex.dll JKT48.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\118706439 JKT48.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXF11D.tmp JKT48.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\msvcp120ex.dll JKT48.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\60064185 JKT48.exe File opened for modification C:\Program Files\DVD Maker\RCXEB01.tmp JKT48.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\886140162 JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\262114476 JKT48.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\RCX24E5.tmp JKT48.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Chess\RCX1528.tmp JKT48.exe File created C:\Program Files\Microsoft Games\Hearts\msvcp120ex.dll JKT48.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\msvcp120ex.dll JKT48.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\msvcp120ex.dll JKT48.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\windows\servicing\trustedinstaller.exe JKT48.exe File created C:\windows\regedit.exe JKT48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2432 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1780 JKT48.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1780 JKT48.exe Token: SeDebugPrivilege 1780 JKT48.exe Token: SeIncBasePriorityPrivilege 1780 JKT48.exe Token: SeTakeOwnershipPrivilege 1992 takeown.exe Token: SeTakeOwnershipPrivilege 2012 takeown.exe Token: SeTakeOwnershipPrivilege 1852 takeown.exe Token: SeTakeOwnershipPrivilege 3020 takeown.exe Token: SeTakeOwnershipPrivilege 780 takeown.exe Token: SeTakeOwnershipPrivilege 2676 takeown.exe Token: SeTakeOwnershipPrivilege 2164 takeown.exe Token: SeTakeOwnershipPrivilege 2680 takeown.exe Token: SeTakeOwnershipPrivilege 2608 takeown.exe Token: SeTakeOwnershipPrivilege 1640 takeown.exe Token: SeTakeOwnershipPrivilege 920 takeown.exe Token: SeTakeOwnershipPrivilege 2148 takeown.exe Token: SeTakeOwnershipPrivilege 2724 takeown.exe Token: SeTakeOwnershipPrivilege 2732 takeown.exe Token: SeTakeOwnershipPrivilege 2804 takeown.exe Token: SeTakeOwnershipPrivilege 2376 takeown.exe Token: SeTakeOwnershipPrivilege 1124 takeown.exe Token: SeTakeOwnershipPrivilege 1640 takeown.exe Token: SeTakeOwnershipPrivilege 1332 takeown.exe Token: SeTakeOwnershipPrivilege 448 takeown.exe Token: SeTakeOwnershipPrivilege 1524 takeown.exe Token: SeTakeOwnershipPrivilege 2300 takeown.exe Token: SeTakeOwnershipPrivilege 1764 takeown.exe Token: SeTakeOwnershipPrivilege 2120 takeown.exe Token: SeTakeOwnershipPrivilege 328 takeown.exe Token: SeTakeOwnershipPrivilege 1916 takeown.exe Token: SeTakeOwnershipPrivilege 1692 takeown.exe Token: SeTakeOwnershipPrivilege 2692 takeown.exe Token: SeTakeOwnershipPrivilege 2508 takeown.exe Token: SeTakeOwnershipPrivilege 2276 takeown.exe Token: SeTakeOwnershipPrivilege 2900 takeown.exe Token: SeTakeOwnershipPrivilege 2904 takeown.exe Token: SeTakeOwnershipPrivilege 2372 takeown.exe Token: SeTakeOwnershipPrivilege 2924 takeown.exe Token: SeTakeOwnershipPrivilege 1808 takeown.exe Token: SeTakeOwnershipPrivilege 1480 takeown.exe Token: SeTakeOwnershipPrivilege 2036 takeown.exe Token: SeTakeOwnershipPrivilege 536 takeown.exe Token: SeTakeOwnershipPrivilege 1440 takeown.exe Token: SeTakeOwnershipPrivilege 1080 takeown.exe Token: SeTakeOwnershipPrivilege 740 takeown.exe Token: SeTakeOwnershipPrivilege 604 takeown.exe Token: SeTakeOwnershipPrivilege 2268 takeown.exe Token: SeTakeOwnershipPrivilege 1544 takeown.exe Token: SeTakeOwnershipPrivilege 756 takeown.exe Token: SeTakeOwnershipPrivilege 2972 takeown.exe Token: SeTakeOwnershipPrivilege 864 takeown.exe Token: SeTakeOwnershipPrivilege 2448 takeown.exe Token: SeTakeOwnershipPrivilege 1788 takeown.exe Token: SeTakeOwnershipPrivilege 2132 takeown.exe Token: SeTakeOwnershipPrivilege 2756 takeown.exe Token: SeTakeOwnershipPrivilege 2152 takeown.exe Token: SeTakeOwnershipPrivilege 2992 takeown.exe Token: SeTakeOwnershipPrivilege 308 takeown.exe Token: SeTakeOwnershipPrivilege 1812 takeown.exe Token: SeTakeOwnershipPrivilege 2896 takeown.exe Token: SeTakeOwnershipPrivilege 2580 takeown.exe Token: SeTakeOwnershipPrivilege 2904 takeown.exe Token: SeTakeOwnershipPrivilege 1140 takeown.exe Token: SeTakeOwnershipPrivilege 2168 takeown.exe Token: SeTakeOwnershipPrivilege 2324 takeown.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe 1780 JKT48.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1780 wrote to memory of 2536 1780 JKT48.exe 30 PID 1780 wrote to memory of 2536 1780 JKT48.exe 30 PID 1780 wrote to memory of 2536 1780 JKT48.exe 30 PID 1780 wrote to memory of 2828 1780 JKT48.exe 32 PID 1780 wrote to memory of 2828 1780 JKT48.exe 32 PID 1780 wrote to memory of 2828 1780 JKT48.exe 32 PID 1780 wrote to memory of 1864 1780 JKT48.exe 34 PID 1780 wrote to memory of 1864 1780 JKT48.exe 34 PID 1780 wrote to memory of 1864 1780 JKT48.exe 34 PID 1780 wrote to memory of 2864 1780 JKT48.exe 36 PID 1780 wrote to memory of 2864 1780 JKT48.exe 36 PID 1780 wrote to memory of 2864 1780 JKT48.exe 36 PID 1780 wrote to memory of 2848 1780 JKT48.exe 38 PID 1780 wrote to memory of 2848 1780 JKT48.exe 38 PID 1780 wrote to memory of 2848 1780 JKT48.exe 38 PID 1780 wrote to memory of 2728 1780 JKT48.exe 40 PID 1780 wrote to memory of 2728 1780 JKT48.exe 40 PID 1780 wrote to memory of 2728 1780 JKT48.exe 40 PID 1780 wrote to memory of 2904 1780 JKT48.exe 42 PID 1780 wrote to memory of 2904 1780 JKT48.exe 42 PID 1780 wrote to memory of 2904 1780 JKT48.exe 42 PID 1780 wrote to memory of 2748 1780 JKT48.exe 44 PID 1780 wrote to memory of 2748 1780 JKT48.exe 44 PID 1780 wrote to memory of 2748 1780 JKT48.exe 44 PID 1780 wrote to memory of 2784 1780 JKT48.exe 46 PID 1780 wrote to memory of 2784 1780 JKT48.exe 46 PID 1780 wrote to memory of 2784 1780 JKT48.exe 46 PID 1780 wrote to memory of 2640 1780 JKT48.exe 48 PID 1780 wrote to memory of 2640 1780 JKT48.exe 48 PID 1780 wrote to memory of 2640 1780 JKT48.exe 48 PID 1780 wrote to memory of 3056 1780 JKT48.exe 50 PID 1780 wrote to memory of 3056 1780 JKT48.exe 50 PID 1780 wrote to memory of 3056 1780 JKT48.exe 50 PID 1780 wrote to memory of 2136 1780 JKT48.exe 52 PID 1780 wrote to memory of 2136 1780 JKT48.exe 52 PID 1780 wrote to memory of 2136 1780 JKT48.exe 52 PID 1780 wrote to memory of 1992 1780 JKT48.exe 54 PID 1780 wrote to memory of 1992 1780 JKT48.exe 54 PID 1780 wrote to memory of 1992 1780 JKT48.exe 54 PID 1780 wrote to memory of 1092 1780 JKT48.exe 56 PID 1780 wrote to memory of 1092 1780 JKT48.exe 56 PID 1780 wrote to memory of 1092 1780 JKT48.exe 56 PID 1780 wrote to memory of 2812 1780 JKT48.exe 58 PID 1780 wrote to memory of 2812 1780 JKT48.exe 58 PID 1780 wrote to memory of 2812 1780 JKT48.exe 58 PID 1780 wrote to memory of 976 1780 JKT48.exe 60 PID 1780 wrote to memory of 976 1780 JKT48.exe 60 PID 1780 wrote to memory of 976 1780 JKT48.exe 60 PID 1780 wrote to memory of 2788 1780 JKT48.exe 62 PID 1780 wrote to memory of 2788 1780 JKT48.exe 62 PID 1780 wrote to memory of 2788 1780 JKT48.exe 62 PID 1780 wrote to memory of 2580 1780 JKT48.exe 64 PID 1780 wrote to memory of 2580 1780 JKT48.exe 64 PID 1780 wrote to memory of 2580 1780 JKT48.exe 64 PID 1780 wrote to memory of 2916 1780 JKT48.exe 66 PID 1780 wrote to memory of 2916 1780 JKT48.exe 66 PID 1780 wrote to memory of 2916 1780 JKT48.exe 66 PID 1780 wrote to memory of 2012 1780 JKT48.exe 68 PID 1780 wrote to memory of 2012 1780 JKT48.exe 68 PID 1780 wrote to memory of 2012 1780 JKT48.exe 68 PID 1780 wrote to memory of 1224 1780 JKT48.exe 70 PID 1780 wrote to memory of 1224 1780 JKT48.exe 70 PID 1780 wrote to memory of 1224 1780 JKT48.exe 70 PID 1780 wrote to memory of 1756 1780 JKT48.exe 72 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JKT48.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JKT48.exe"C:\Users\Admin\AppData\Local\Temp\JKT48.exe"1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1780 -
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin" /a2⤵PID:2536
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\$Recycle.Bin" /grant Administrators:F2⤵PID:2828
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000" /a2⤵PID:1864
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000" /grant Administrators:F2⤵PID:2864
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Documents and Settings" /a2⤵PID:2848
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Documents and Settings" /grant Administrators:F2⤵PID:2728
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache" /a2⤵PID:2904
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache" /grant Administrators:F2⤵PID:2748
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users" /a2⤵PID:2784
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users" /grant Administrators:F2⤵PID:2640
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /a2⤵PID:3056
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2136
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\cmd.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\cmd.exe" /grant Administrators:F2⤵PID:1092
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /a2⤵PID:2812
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /grant Administrators:F2⤵PID:976
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /a2⤵PID:2788
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2580
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /a2⤵PID:2916
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\regedit.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /grant Administrators:F2⤵PID:1224
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\regedit.exe" /grant Administrators:F2⤵PID:1756
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /a2⤵PID:2068
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:752
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /a2⤵PID:2196
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\reg.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /grant Administrators:F2⤵PID:3000
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\reg.exe" /grant Administrators:F2⤵PID:2332
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /a2⤵PID:680
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:792
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /a2⤵PID:1768
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /grant Administrators:F2⤵PID:544
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskmgr.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /a2⤵PID:2204
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\taskmgr.exe" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2564
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:1328
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /a2⤵PID:1612
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /grant Administrators:F2⤵PID:1604
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\msconfig.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:780
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\msconfig.exe" /grant Administrators:F2⤵PID:308
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /a2⤵PID:2760
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2852
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /a2⤵PID:2716
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /grant Administrators:F2⤵PID:2728
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /a2⤵PID:2612
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\utilman.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2640
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\utilman.exe" /grant Administrators:F2⤵PID:2652
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /a2⤵PID:852
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /grant Administrators:F2⤵PID:1828
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /a2⤵PID:1912
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /grant Administrators:F2⤵PID:1724
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /a2⤵PID:1640
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /grant Administrators:F2⤵PID:1124
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\sethc.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /a2⤵PID:2708
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\sethc.exe" /grant Administrators:F2⤵PID:2032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /grant Administrators:F2⤵PID:2324
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /a2⤵PID:2452
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /grant Administrators:F2⤵PID:2180
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /a2⤵PID:1816
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /grant Administrators:F2⤵PID:1320
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.exe" /grant Administrators:F2⤵PID:2988
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /a2⤵PID:1752
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /grant Administrators:F2⤵PID:2188
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /a2⤵PID:756
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:328
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /a2⤵PID:2564
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /grant Administrators:F2⤵PID:380
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.msc" /a2⤵PID:2228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /a2⤵PID:2692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.msc" /grant Administrators:F2⤵PID:3040
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2704
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /a2⤵
- Possible privilege escalation attempt
PID:2844
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /grant Administrators:F2⤵
- Modifies file permissions
PID:2092
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /a2⤵PID:2356
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:2876
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\resmon.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /a2⤵PID:2124
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\resmon.exe" /grant Administrators:F2⤵PID:1812
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /grant Administrators:F2⤵PID:2748
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /a2⤵PID:1092
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:1488
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /a2⤵PID:2912
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /grant Administrators:F2⤵PID:2788
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /a2⤵PID:1908
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\logonui.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /grant Administrators:F2⤵PID:2956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\logonui.exe" /grant Administrators:F2⤵PID:2232
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /a2⤵PID:688
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:1796
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /a2⤵PID:1892
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /grant Administrators:F2⤵PID:448
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /a2⤵PID:1284
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /grant Administrators:F2⤵PID:1988
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /a2⤵PID:680
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskkill.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\taskkill.exe" /grant Administrators:F2⤵PID:2120
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /grant Administrators:F2⤵PID:1768
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /a2⤵PID:2928
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /grant Administrators:F2⤵PID:1956
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\rundll32.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\rundll32.exe" /grant Administrators:F2⤵PID:2564
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /a2⤵PID:1596
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /grant Administrators:F2⤵PID:2408
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /a2⤵PID:2076
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /grant Administrators:F2⤵PID:2504
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\PerfLogs" /a2⤵PID:2880
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\PerfLogs" /grant Administrators:F2⤵PID:2816
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\PerfLogs\Admin" /a2⤵PID:2728
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\PerfLogs\Admin" /grant Administrators:F2⤵PID:2636
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\rstrui.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\rstrui.exe" /grant Administrators:F2⤵PID:2876
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files" /grant Administrators:F2⤵PID:1808
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\sfc.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\sfc.exe" /grant Administrators:F2⤵PID:1804
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip" /a2⤵PID:2896
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip" /grant Administrators:F2⤵PID:488
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\7z.exe" /a2⤵PID:1488
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\winload.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\7z.exe" /grant Administrators:F2⤵PID:1912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\Lang" /a2⤵PID:2952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\winload.exe" /grant Administrators:F2⤵PID:1080
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\Lang" /grant Administrators:F2⤵PID:1228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files" /grant Administrators:F2⤵PID:2964
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared" /grant Administrators:F2⤵PID:1532
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Filters" /a2⤵PID:2032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Filters" /grant Administrators:F2⤵PID:2448
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink" /a2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink" /grant Administrators:F2⤵PID:2452
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\ntoskrnl.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\ntoskrnl.exe" /grant Administrators:F2⤵PID:1208
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /grant Administrators:F2⤵PID:2160
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /grant Administrators:F2⤵PID:1748
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\system32\hal.dll" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /grant Administrators:F2⤵PID:920
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\system32\hal.dll" /grant Administrators:F2⤵PID:1272
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /grant Administrators:F2⤵PID:752
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /grant Administrators:F2⤵PID:1604
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /grant Administrators:F2⤵PID:2132
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /grant Administrators:F2⤵PID:1736
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\servicing\trustedinstaller.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /grant Administrators:F2⤵PID:2848
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\servicing\trustedinstaller.exe" /grant Administrators:F2⤵PID:2836
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /grant Administrators:F2⤵PID:2620
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /grant Administrators:F2⤵PID:1660
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /a2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /grant Administrators:F2⤵PID:1372
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /grant Administrators:F2⤵PID:796
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\cmd.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /grant Administrators:F2⤵PID:844
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\cmd.exe" /grant Administrators:F2⤵PID:2444
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /grant Administrators:F2⤵PID:1224
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /grant Administrators:F2⤵PID:2496
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\regedit.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\regedit.exe" /grant Administrators:F2⤵PID:304
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /grant Administrators:F2⤵PID:2244
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /grant Administrators:F2⤵PID:1388
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:604
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /grant Administrators:F2⤵PID:2488
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /grant Administrators:F2⤵PID:1672
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /grant Administrators:F2⤵PID:1856
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\reg.exe" /a2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /grant Administrators:F2⤵PID:2928
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\reg.exe" /grant Administrators:F2⤵PID:2892
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /grant Administrators:F2⤵PID:448
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1516
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /grant Administrators:F2⤵PID:2532
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /grant Administrators:F2⤵PID:2504
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskmgr.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskmgr.exe" /grant Administrators:F2⤵PID:2944
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /grant Administrators:F2⤵PID:2508
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /grant Administrators:F2⤵PID:2616
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:308
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /grant Administrators:F2⤵PID:3056
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:852
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /grant Administrators:F2⤵PID:296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\utilman.exe" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\utilman.exe" /grant Administrators:F2⤵PID:796
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /grant Administrators:F2⤵PID:904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /grant Administrators:F2⤵PID:2912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /grant Administrators:F2⤵PID:2260
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /a2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1308
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /a2⤵PID:688
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /grant Administrators:F2⤵PID:1952
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /a2⤵PID:3000
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.exe" /a2⤵PID:2588
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.exe" /grant Administrators:F2⤵PID:940
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /grant Administrators:F2⤵PID:1284
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /a2⤵PID:2308
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /grant Administrators:F2⤵PID:1484
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /a2⤵PID:1632
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /grant Administrators:F2⤵PID:2204
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /a2⤵PID:1080
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /grant Administrators:F2⤵PID:604
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /a2⤵PID:1036
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /grant Administrators:F2⤵PID:2280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /a2⤵PID:876
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /grant Administrators:F2⤵PID:1712
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.msc" /a2⤵PID:2452
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /a2⤵PID:3048
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.msc" /grant Administrators:F2⤵PID:2400
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /grant Administrators:F2⤵PID:2824
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /a2⤵PID:3040
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /grant Administrators:F2⤵PID:2720
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /a2⤵PID:2852
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /grant Administrators:F2⤵PID:448
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /a2⤵PID:1788
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /grant Administrators:F2⤵PID:2228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /a2⤵PID:2828
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /grant Administrators:F2⤵PID:2820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /a2⤵PID:2624
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\resmon.exe" /a2⤵PID:324
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /grant Administrators:F2⤵PID:2920
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\resmon.exe" /grant Administrators:F2⤵PID:488
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /a2⤵PID:1052
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /grant Administrators:F2⤵PID:1144
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /a2⤵PID:332
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Administrators:F2⤵PID:1044
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /a2⤵PID:2012
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /grant Administrators:F2⤵PID:2904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /a2⤵PID:1812
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /grant Administrators:F2⤵PID:1912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sethc.exe" /a2⤵PID:2964
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /a2⤵PID:2056
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\sethc.exe" /grant Administrators:F2⤵PID:2804
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /grant Administrators:F2⤵PID:1308
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /a2⤵PID:1892
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /grant Administrators:F2⤵PID:2460
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /a2⤵PID:2592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /grant Administrators:F2⤵PID:1960
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /a2⤵PID:2248
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /grant Administrators:F2⤵PID:1048
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /a2⤵PID:1500
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /grant Administrators:F2⤵PID:1284
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskkill.exe" /a2⤵PID:1080
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /a2⤵PID:1688
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskkill.exe" /grant Administrators:F2⤵PID:2480
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /grant Administrators:F2⤵PID:3028
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /a2⤵PID:2116
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /grant Administrators:F2⤵PID:1076
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /a2⤵PID:2280
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /grant Administrators:F2⤵PID:604
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sfc.exe" /a2⤵PID:1436
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\sfc.exe" /grant Administrators:F2⤵PID:2564
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /a2⤵PID:2092
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /grant Administrators:F2⤵PID:2504
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Stationery" /a2⤵PID:2692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Stationery" /grant Administrators:F2⤵PID:2508
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv" /a2⤵PID:2320
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv" /grant Administrators:F2⤵PID:2748
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /a2⤵PID:2808
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /grant Administrators:F2⤵PID:2732
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /a2⤵
- Modifies file permissions
PID:2044
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\rundll32.exe" /a2⤵PID:1372
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /grant Administrators:F2⤵PID:2876
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\windows\syswow64\rundll32.exe" /grant Administrators:F2⤵PID:2788
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /a2⤵PID:1608
-
-
C:\windows\system32\vssadmin.exe"C:\windows\system32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2432
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /grant Administrators:F2⤵PID:1052
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /a2⤵PID:296
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /grant Administrators:F2⤵PID:2904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /a2⤵PID:2932
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /grant Administrators:F2⤵PID:2608
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /a2⤵
- Modifies file permissions
PID:2056
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /grant Administrators:F2⤵PID:2804
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit" /a2⤵PID:628
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit" /grant Administrators:F2⤵PID:1652
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /a2⤵PID:1520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /grant Administrators:F2⤵PID:684
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /a2⤵PID:1428
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /grant Administrators:F2⤵PID:2204
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /a2⤵
- Modifies file permissions
PID:1124
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /grant Administrators:F2⤵PID:2120
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /a2⤵PID:1604
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /grant Administrators:F2⤵PID:2172
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /a2⤵PID:1080
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /grant Administrators:F2⤵PID:1960
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /a2⤵PID:1708
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /grant Administrators:F2⤵PID:1792
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VC" /a2⤵PID:2492
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VC" /grant Administrators:F2⤵PID:2452
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VGX" /a2⤵PID:1208
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VGX" /grant Administrators:F2⤵PID:2388
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO" /a2⤵PID:2852
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO" /grant Administrators:F2⤵PID:1516
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /a2⤵PID:864
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /grant Administrators:F2⤵PID:2848
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /a2⤵PID:3064
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Administrators:F2⤵PID:2784
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /a2⤵PID:1032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /grant Administrators:F2⤵PID:1660
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Services" /a2⤵PID:2716
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Services" /grant Administrators:F2⤵PID:2936
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines" /a2⤵PID:852
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines" /grant Administrators:F2⤵PID:1608
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft" /a2⤵PID:296
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft" /grant Administrators:F2⤵PID:2772
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /a2⤵PID:444
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /grant Administrators:F2⤵PID:2124
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /a2⤵
- Modifies file permissions
PID:2964
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /grant Administrators:F2⤵PID:2516
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /a2⤵
- Possible privilege escalation attempt
PID:2180
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /grant Administrators:F2⤵PID:2796
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /a2⤵PID:3020
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /grant Administrators:F2⤵PID:756
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /a2⤵PID:1908
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /grant Administrators:F2⤵PID:628
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /a2⤵PID:2156
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /grant Administrators:F2⤵PID:340
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /a2⤵PID:1964
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /grant Administrators:F2⤵PID:1684
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /a2⤵PID:2032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2188
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System" /a2⤵PID:1048
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System" /grant Administrators:F2⤵PID:1768
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado" /a2⤵PID:1256
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado" /grant Administrators:F2⤵PID:1076
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\de-DE" /a2⤵PID:2844
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\de-DE" /grant Administrators:F2⤵PID:2760
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\en-US" /a2⤵PID:2452
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\en-US" /grant Administrators:F2⤵PID:2720
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\es-ES" /a2⤵PID:3040
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\es-ES" /grant Administrators:F2⤵PID:792
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\fr-FR" /a2⤵PID:2528
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\fr-FR" /grant Administrators:F2⤵PID:2160
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\it-IT" /a2⤵PID:2840
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\it-IT" /grant Administrators:F2⤵PID:1276
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\ja-JP" /a2⤵PID:228
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\ja-JP" /grant Administrators:F2⤵PID:324
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\de-DE" /a2⤵PID:1992
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\de-DE" /grant Administrators:F2⤵PID:2632
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\en-US" /a2⤵PID:1804
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\en-US" /grant Administrators:F2⤵PID:3032
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\es-ES" /a2⤵PID:2312
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\es-ES" /grant Administrators:F2⤵PID:2936
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\fr-FR" /a2⤵PID:2400
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\fr-FR" /grant Administrators:F2⤵PID:2092
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\it-IT" /a2⤵PID:1188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\it-IT" /grant Administrators:F2⤵PID:332
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ja-JP" /a2⤵PID:1636
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ja-JP" /grant Administrators:F2⤵PID:1952
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc" /a2⤵PID:852
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc" /grant Administrators:F2⤵PID:2888
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\de-DE" /a2⤵PID:1988
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\de-DE" /grant Administrators:F2⤵PID:888
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\en-US" /a2⤵PID:1328
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\en-US" /grant Administrators:F2⤵PID:2588
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\es-ES" /a2⤵PID:2932
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\es-ES" /grant Administrators:F2⤵PID:536
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\fr-FR" /a2⤵PID:1744
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\fr-FR" /grant Administrators:F2⤵PID:340
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\it-IT" /a2⤵PID:1272
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\it-IT" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2344
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\ja-JP" /a2⤵PID:2360
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\ja-JP" /grant Administrators:F2⤵PID:1600
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB" /a2⤵PID:1768
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB" /grant Administrators:F2⤵PID:2480
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\de-DE" /a2⤵PID:2572
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\de-DE" /grant Administrators:F2⤵PID:1420
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\en-US" /a2⤵PID:2844
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\en-US" /grant Administrators:F2⤵PID:1080
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\es-ES" /a2⤵PID:2280
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\es-ES" /grant Administrators:F2⤵PID:1208
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\fr-FR" /a2⤵PID:876
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\fr-FR" /grant Administrators:F2⤵PID:2152
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\it-IT" /a2⤵PID:2836
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\it-IT" /grant Administrators:F2⤵PID:2908
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\ja-JP" /a2⤵PID:1276
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\ja-JP" /grant Administrators:F2⤵PID:680
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker" /a2⤵PID:1112
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker" /grant Administrators:F2⤵PID:864
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\DVDMaker.exe" /a2⤵PID:1992
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\DVDMaker.exe" /grant Administrators:F2⤵PID:2200
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\de-DE" /a2⤵PID:2008
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\de-DE" /grant Administrators:F2⤵PID:2876
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\en-US" /a2⤵PID:2240
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\en-US" /grant Administrators:F2⤵PID:1924
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\es-ES" /a2⤵PID:2400
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\es-ES" /grant Administrators:F2⤵PID:2996
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\fr-FR" /a2⤵PID:1608
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\fr-FR" /grant Administrators:F2⤵PID:2964
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\it-IT" /a2⤵PID:1952
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\it-IT" /grant Administrators:F2⤵PID:544
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\ja-JP" /a2⤵PID:304
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\ja-JP" /grant Administrators:F2⤵PID:3000
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared" /a2⤵PID:684
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared" /grant Administrators:F2⤵PID:3020
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles" /a2⤵PID:1728
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles" /grant Administrators:F2⤵PID:2308
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /a2⤵PID:2932
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /grant Administrators:F2⤵PID:1524
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /a2⤵PID:2248
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /grant Administrators:F2⤵PID:1284
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /a2⤵PID:2120
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /grant Administrators:F2⤵PID:1048
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /a2⤵PID:1692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /grant Administrators:F2⤵PID:2016
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /a2⤵PID:2004
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /grant Administrators:F2⤵PID:2148
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /a2⤵PID:1136
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /grant Administrators:F2⤵PID:2856
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /a2⤵PID:2844
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /grant Administrators:F2⤵PID:2644
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /a2⤵
- Possible privilege escalation attempt
PID:2276
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /grant Administrators:F2⤵PID:2664
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /a2⤵PID:2152
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /grant Administrators:F2⤵
- Modifies file permissions
PID:3040
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /a2⤵PID:728
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /grant Administrators:F2⤵PID:2828
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /a2⤵PID:2636
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /grant Administrators:F2⤵PID:228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /a2⤵
- Possible privilege escalation attempt
PID:1008
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /grant Administrators:F2⤵PID:1804
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /a2⤵PID:2200
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /grant Administrators:F2⤵PID:2000
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /a2⤵PID:2728
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /grant Administrators:F2⤵PID:2272
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /a2⤵PID:332
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /grant Administrators:F2⤵PID:1924
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /a2⤵PID:1032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /grant Administrators:F2⤵PID:2400
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /a2⤵PID:2868
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /grant Administrators:F2⤵PID:1072
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /a2⤵PID:292
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /grant Administrators:F2⤵PID:2680
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /a2⤵PID:544
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /grant Administrators:F2⤵PID:936
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /a2⤵PID:684
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /grant Administrators:F2⤵PID:1428
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google" /a2⤵PID:2972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google" /grant Administrators:F2⤵PID:1616
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome" /a2⤵PID:1816
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome" /grant Administrators:F2⤵PID:1764
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application" /a2⤵PID:2592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1684
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\chrome.exe" /a2⤵PID:1124
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" /grant Administrators:F2⤵PID:1340
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /a2⤵PID:2396
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /grant Administrators:F2⤵PID:2944
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /a2⤵PID:2148
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /grant Administrators:F2⤵PID:1708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /a2⤵PID:2908
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /grant Administrators:F2⤵PID:216
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /a2⤵PID:680
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /grant Administrators:F2⤵PID:2080
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /a2⤵PID:2276
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /grant Administrators:F2⤵PID:2712
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /a2⤵PID:2532
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /grant Administrators:F2⤵
- Modifies file permissions
PID:2444
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /a2⤵PID:2168
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /grant Administrators:F2⤵PID:2748
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /a2⤵PID:2580
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /grant Administrators:F2⤵PID:2012
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /a2⤵PID:2956
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /grant Administrators:F2⤵PID:3052
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /a2⤵PID:2144
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /grant Administrators:F2⤵PID:1988
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /a2⤵PID:1672
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /grant Administrators:F2⤵PID:2868
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /a2⤵PID:1112
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /grant Administrators:F2⤵PID:2996
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\SetupMetrics" /a2⤵PID:2516
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\SetupMetrics" /grant Administrators:F2⤵PID:2608
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer" /a2⤵PID:2804
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer" /grant Administrators:F2⤵PID:1952
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\iediagcmd.exe" /a2⤵PID:2308
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\iediagcmd.exe" /grant Administrators:F2⤵PID:280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\de-DE" /a2⤵PID:2592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\de-DE" /grant Administrators:F2⤵PID:688
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\en-US" /a2⤵PID:2824
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\en-US" /grant Administrators:F2⤵PID:1124
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\es-ES" /a2⤵PID:2248
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\es-ES" /grant Administrators:F2⤵PID:1296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\fr-FR" /a2⤵PID:1792
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\fr-FR" /grant Administrators:F2⤵PID:2944
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\images" /a2⤵PID:1436
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\images" /grant Administrators:F2⤵PID:2452
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\it-IT" /a2⤵PID:2852
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\it-IT" /grant Administrators:F2⤵PID:2136
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ja-JP" /a2⤵PID:2668
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ja-JP" /grant Administrators:F2⤵PID:2736
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\SIGNUP" /a2⤵PID:780
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\SIGNUP" /grant Administrators:F2⤵PID:2036
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java" /a2⤵PID:2652
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java" /grant Administrators:F2⤵PID:2276
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80" /a2⤵PID:324
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80" /grant Administrators:F2⤵PID:228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin" /a2⤵PID:2532
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin" /grant Administrators:F2⤵PID:1804
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /a2⤵PID:2692
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /grant Administrators:F2⤵PID:2816
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db" /a2⤵PID:2808
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db" /grant Administrators:F2⤵PID:2580
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\bin" /a2⤵PID:1188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\bin" /grant Administrators:F2⤵PID:1812
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\lib" /a2⤵PID:2260
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\lib" /grant Administrators:F2⤵PID:1752
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include" /a2⤵PID:940
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1072
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32" /a2⤵PID:2788
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32" /grant Administrators:F2⤵PID:1596
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /a2⤵PID:1728
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /grant Administrators:F2⤵PID:2608
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre" /a2⤵PID:340
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre" /grant Administrators:F2⤵PID:2932
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /a2⤵PID:1748
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /grant Administrators:F2⤵PID:1600
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /a2⤵PID:2972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /grant Administrators:F2⤵PID:2496
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /a2⤵PID:3028
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /grant Administrators:F2⤵PID:1048
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /a2⤵PID:1500
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /grant Administrators:F2⤵PID:1420
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /a2⤵PID:2280
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /grant Administrators:F2⤵PID:1960
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /a2⤵PID:448
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /grant Administrators:F2⤵PID:2076
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /a2⤵PID:232
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /grant Administrators:F2⤵PID:1276
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /a2⤵PID:1124
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /grant Administrators:F2⤵PID:556
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /a2⤵PID:2228
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /grant Administrators:F2⤵PID:2152
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /a2⤵PID:2880
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /grant Administrators:F2⤵PID:2664
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /a2⤵PID:224
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /grant Administrators:F2⤵PID:2924
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /a2⤵PID:2716
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /grant Administrators:F2⤵PID:1008
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /a2⤵PID:380
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /grant Administrators:F2⤵PID:2936
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /a2⤵PID:2748
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /grant Administrators:F2⤵PID:2012
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /a2⤵PID:1348
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /grant Administrators:F2⤵PID:1280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /a2⤵PID:292
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /grant Administrators:F2⤵PID:3060
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /a2⤵PID:1544
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /grant Administrators:F2⤵PID:2968
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /a2⤵
- Modifies file permissions
PID:2788
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /grant Administrators:F2⤵PID:796
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /a2⤵PID:768
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /grant Administrators:F2⤵PID:2056
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /a2⤵
- Modifies file permissions
PID:1636
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /grant Administrators:F2⤵PID:408
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /a2⤵PID:1632
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /grant Administrators:F2⤵PID:1956
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /a2⤵
- Modifies file permissions
PID:340
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /grant Administrators:F2⤵PID:2552
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /a2⤵PID:2592
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /grant Administrators:F2⤵PID:1912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /a2⤵PID:2188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /grant Administrators:F2⤵PID:2164
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /a2⤵PID:1136
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /grant Administrators:F2⤵PID:2148
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /a2⤵PID:2160
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /grant Administrators:F2⤵PID:2280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /a2⤵PID:2972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /grant Administrators:F2⤵PID:1864
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /a2⤵PID:2908
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /grant Administrators:F2⤵PID:2736
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /a2⤵PID:2004
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /grant Administrators:F2⤵PID:1276
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /a2⤵PID:2300
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /grant Administrators:F2⤵PID:2356
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /a2⤵PID:2652
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /grant Administrators:F2⤵PID:2636
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /a2⤵PID:3064
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /grant Administrators:F2⤵PID:2848
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /a2⤵
- Modifies file permissions
PID:2372
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /grant Administrators:F2⤵PID:904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /a2⤵PID:1540
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /grant Administrators:F2⤵PID:2672
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib" /a2⤵PID:1440
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib" /grant Administrators:F2⤵PID:576
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /a2⤵PID:2312
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /grant Administrators:F2⤵PID:1008
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /a2⤵PID:1476
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /grant Administrators:F2⤵PID:2732
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /a2⤵PID:544
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /grant Administrators:F2⤵PID:936
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /a2⤵PID:852
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /grant Administrators:F2⤵PID:2332
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /a2⤵
- Modifies file permissions
PID:1520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /grant Administrators:F2⤵PID:2308
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /a2⤵PID:1272
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /grant Administrators:F2⤵PID:2208
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /a2⤵PID:2096
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /grant Administrators:F2⤵PID:2788
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /a2⤵PID:1544
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /grant Administrators:F2⤵PID:1924
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /a2⤵PID:2292
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /grant Administrators:F2⤵PID:2460
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /a2⤵PID:2720
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /grant Administrators:F2⤵PID:2592
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /a2⤵PID:1208
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /grant Administrators:F2⤵PID:2448
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /a2⤵PID:2496
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /grant Administrators:F2⤵PID:3028
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /a2⤵PID:2856
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /grant Administrators:F2⤵PID:1296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /a2⤵PID:2704
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /grant Administrators:F2⤵PID:2160
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /a2⤵PID:2408
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /grant Administrators:F2⤵PID:844
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /a2⤵
- Possible privilege escalation attempt
PID:2688
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /grant Administrators:F2⤵PID:728
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /a2⤵PID:2916
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /grant Administrators:F2⤵PID:2432
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /a2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2848
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /grant Administrators:F2⤵PID:1820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /a2⤵PID:2632
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /grant Administrators:F2⤵PID:1140
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /a2⤵PID:2044
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F2⤵PID:3068
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /a2⤵PID:1540
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2400
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /a2⤵PID:2012
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /grant Administrators:F2⤵PID:380
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /a2⤵PID:1640
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /grant Administrators:F2⤵PID:1008
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /a2⤵PID:1188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /grant Administrators:F2⤵PID:940
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /a2⤵PID:2504
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /grant Administrators:F2⤵PID:1952
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /a2⤵PID:972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:852
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /a2⤵PID:1748
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F2⤵PID:280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /a2⤵PID:2480
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F2⤵PID:408
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /a2⤵PID:536
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2344
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /a2⤵PID:1240
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /grant Administrators:F2⤵PID:1544
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /a2⤵
- Possible privilege escalation attempt
PID:1736
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /grant Administrators:F2⤵PID:2948
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /a2⤵PID:208
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /grant Administrators:F2⤵PID:2448
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /a2⤵PID:2800
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /grant Administrators:F2⤵PID:2836
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /a2⤵PID:200
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2668
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /a2⤵PID:2148
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /grant Administrators:F2⤵PID:1864
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /a2⤵PID:2528
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /grant Administrators:F2⤵PID:2160
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /a2⤵PID:3040
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /grant Administrators:F2⤵PID:316
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /a2⤵PID:2916
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /grant Administrators:F2⤵PID:2320
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /a2⤵PID:2620
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /grant Administrators:F2⤵PID:232
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /a2⤵PID:2876
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /grant Administrators:F2⤵PID:2956
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /a2⤵PID:888
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /grant Administrators:F2⤵PID:2728
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /a2⤵PID:2400
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /grant Administrators:F2⤵PID:2244
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /a2⤵PID:2900
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /grant Administrators:F2⤵PID:2144
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /a2⤵PID:2012
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /grant Administrators:F2⤵PID:2936
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /a2⤵
- Possible privilege escalation attempt
PID:936
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /grant Administrators:F2⤵PID:1328
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /a2⤵PID:1652
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /grant Administrators:F2⤵PID:2608
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /a2⤵
- Modifies file permissions
PID:2928
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /grant Administrators:F2⤵PID:1964
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /a2⤵PID:340
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /grant Administrators:F2⤵PID:1600
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /a2⤵PID:1684
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /grant Administrators:F2⤵PID:1264
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /a2⤵PID:604
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /grant Administrators:F2⤵PID:1316
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /a2⤵PID:536
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /grant Administrators:F2⤵PID:2344
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /a2⤵PID:2752
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /grant Administrators:F2⤵PID:608
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /a2⤵PID:2844
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /grant Administrators:F2⤵PID:752
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon" /a2⤵PID:3028
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon" /grant Administrators:F2⤵PID:1388
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css" /a2⤵PID:2972
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css" /grant Administrators:F2⤵PID:556
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs" /a2⤵PID:1124
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs" /grant Administrators:F2⤵PID:2152
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html" /a2⤵PID:1980
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html" /grant Administrators:F2⤵PID:2160
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons" /a2⤵PID:200
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons" /grant Administrators:F2⤵PID:1692
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF" /a2⤵PID:2652
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF" /grant Administrators:F2⤵PID:1820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303" /a2⤵PID:1052
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303" /grant Administrators:F2⤵PID:2300
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons" /a2⤵PID:904
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons" /grant Administrators:F2⤵PID:2904
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib" /a2⤵PID:2232
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib" /grant Administrators:F2⤵PID:3032
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF" /a2⤵PID:1828
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF" /grant Administrators:F2⤵PID:2400
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema" /a2⤵PID:1148
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1348
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033" /a2⤵PID:2808
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033" /grant Administrators:F2⤵PID:2816
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF" /a2⤵PID:1328
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF" /grant Administrators:F2⤵PID:1520
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717" /a2⤵PID:2156
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717" /grant Administrators:F2⤵PID:1272
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css" /a2⤵PID:2552
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css" /grant Administrators:F2⤵PID:796
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark" /a2⤵PID:1924
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2104
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images" /a2⤵PID:1816
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images" /grant Administrators:F2⤵PID:1708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF" /a2⤵PID:280
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF" /grant Administrators:F2⤵PID:1952
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm" /a2⤵PID:2188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1252
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc" /a2⤵PID:2756
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc" /grant Administrators:F2⤵PID:2592
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform" /a2⤵PID:2496
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform" /grant Administrators:F2⤵PID:2776
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config" /a2⤵PID:2844
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config" /grant Administrators:F2⤵PID:1516
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps" /a2⤵PID:780
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps" /grant Administrators:F2⤵PID:1296
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules" /a2⤵PID:680
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules" /grant Administrators:F2⤵PID:2432
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core" /a2⤵PID:2152
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core" /grant Administrators:F2⤵PID:792
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale" /a2⤵PID:2916
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale" /grant Administrators:F2⤵PID:3064
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib" /a2⤵PID:2008
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib" /grant Administrators:F2⤵PID:1820
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe" /a2⤵PID:3052
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe" /grant Administrators:F2⤵PID:584
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale" /a2⤵PID:2888
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale" /grant Administrators:F2⤵PID:2664
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules" /a2⤵PID:1660
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules" /grant Administrators:F2⤵PID:1828
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext" /a2⤵PID:2900
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext" /grant Administrators:F2⤵PID:2324
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale" /a2⤵PID:2124
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale" /grant Administrators:F2⤵PID:2516
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale" /a2⤵PID:276
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale" /grant Administrators:F2⤵PID:1332
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking" /a2⤵PID:2536
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking" /grant Administrators:F2⤵PID:1956
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler" /a2⤵PID:1524
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler" /grant Administrators:F2⤵
- Modifies file permissions
PID:1284
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config" /a2⤵
- Modifies file permissions
PID:2460
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config" /grant Administrators:F2⤵PID:1964
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules" /a2⤵PID:2360
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:2604
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib" /a2⤵PID:2928
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib" /grant Administrators:F2⤵PID:1616
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed" /a2⤵PID:2344
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed" /grant Administrators:F2⤵PID:2056
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15" /a2⤵PID:208
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15" /grant Administrators:F2⤵PID:1252
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64" /a2⤵PID:1604
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64" /grant Administrators:F2⤵PID:2280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16" /a2⤵PID:752
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16" /grant Administrators:F2⤵PID:2408
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64" /a2⤵PID:1516
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64" /grant Administrators:F2⤵PID:2136
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale" /a2⤵PID:2780
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale" /grant Administrators:F2⤵PID:2228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules" /a2⤵PID:2148
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules" /grant Administrators:F2⤵PID:2704
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale" /a2⤵PID:2080
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale" /grant Administrators:F2⤵PID:2916
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking" /a2⤵PID:1864
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking" /grant Administrators:F2⤵PID:2848
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm" /a2⤵PID:2008
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm" /grant Administrators:F2⤵PID:320
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config" /a2⤵PID:2300
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config" /grant Administrators:F2⤵PID:2632
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules" /a2⤵
- Possible privilege escalation attempt
PID:2876
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules" /grant Administrators:F2⤵PID:2728
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core" /a2⤵PID:1140
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core" /grant Administrators:F2⤵PID:2324
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale" /a2⤵PID:1852
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale" /grant Administrators:F2⤵PID:2000
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules" /a2⤵PID:1188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules" /grant Administrators:F2⤵PID:2580
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale" /a2⤵PID:1652
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale" /grant Administrators:F2⤵PID:2208
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking" /a2⤵PID:328
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking" /grant Administrators:F2⤵PID:2292
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7" /a2⤵PID:1284
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7" /grant Administrators:F2⤵PID:3048
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin" /a2⤵PID:1856
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin" /grant Administrators:F2⤵PID:1040
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\jabswitch.exe" /a2⤵PID:2604
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\jabswitch.exe" /grant Administrators:F2⤵PID:2480
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\dtplugin" /a2⤵PID:1816
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\dtplugin" /grant Administrators:F2⤵PID:1908
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\plugin2" /a2⤵PID:1960
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\plugin2" /grant Administrators:F2⤵PID:1544
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\server" /a2⤵PID:2736
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\server" /grant Administrators:F2⤵PID:2280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib" /a2⤵PID:2168
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib" /grant Administrators:F2⤵PID:2776
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\amd64" /a2⤵PID:2496
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\amd64" /grant Administrators:F2⤵PID:876
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\applet" /a2⤵PID:216
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\applet" /grant Administrators:F2⤵PID:2836
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\cmm" /a2⤵PID:1044
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\cmm" /grant Administrators:F2⤵PID:200
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\deploy" /a2⤵PID:1276
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\deploy" /grant Administrators:F2⤵PID:1480
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\ext" /a2⤵PID:232
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\ext" /grant Administrators:F2⤵PID:2916
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\fonts" /a2⤵PID:1124
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\fonts" /grant Administrators:F2⤵PID:2372
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\images" /a2⤵PID:1820
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\images" /grant Administrators:F2⤵PID:2924
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\images\cursors" /a2⤵PID:888
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\images\cursors" /grant Administrators:F2⤵PID:2732
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\jfr" /a2⤵PID:1660
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\jfr" /grant Administrators:F2⤵PID:2632
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\management" /a2⤵PID:2084
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\management" /grant Administrators:F2⤵PID:940
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\security" /a2⤵PID:2124
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\security" /grant Administrators:F2⤵PID:2268
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi" /a2⤵PID:2796
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi" /grant Administrators:F2⤵PID:2288
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Africa" /a2⤵
- Modifies file permissions
PID:2308
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Africa" /grant Administrators:F2⤵PID:688
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America" /a2⤵PID:1032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America" /grant Administrators:F2⤵PID:1264
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Argentina" /a2⤵PID:2032
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Argentina" /grant Administrators:F2⤵PID:3048
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Indiana" /a2⤵PID:1600
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Indiana" /grant Administrators:F2⤵PID:1768
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Kentucky" /a2⤵PID:852
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Kentucky" /grant Administrators:F2⤵PID:2096
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota" /a2⤵PID:2604
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota" /grant Administrators:F2⤵PID:2756
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Antarctica" /a2⤵PID:2452
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Antarctica" /grant Administrators:F2⤵PID:2396
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Asia" /a2⤵PID:2448
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Asia" /grant Administrators:F2⤵PID:1792
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Atlantic" /a2⤵PID:2776
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Atlantic" /grant Administrators:F2⤵PID:1080
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Australia" /a2⤵PID:2408
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Australia" /grant Administrators:F2⤵PID:2712
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Etc" /a2⤵PID:976
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Etc" /grant Administrators:F2⤵PID:2076
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Europe" /a2⤵PID:2508
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Europe" /grant Administrators:F2⤵PID:2152
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Indian" /a2⤵PID:2540
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Indian" /grant Administrators:F2⤵PID:680
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Pacific" /a2⤵
- Possible privilege escalation attempt
PID:204
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Pacific" /grant Administrators:F2⤵PID:2708
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\SystemV" /a2⤵PID:2372
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\SystemV" /grant Administrators:F2⤵PID:3040
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games" /a2⤵PID:2244
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games" /grant Administrators:F2⤵PID:2144
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess" /a2⤵PID:2924
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess" /grant Administrators:F2⤵PID:1828
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\Chess.exe" /a2⤵PID:1660
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\Chess.exe" /grant Administrators:F2⤵PID:544
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\de-DE" /a2⤵PID:1348
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\de-DE" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:1272
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\en-US" /a2⤵PID:3004
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\en-US" /grant Administrators:F2⤵PID:2536
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\es-ES" /a2⤵PID:2444
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\es-ES" /grant Administrators:F2⤵PID:1684
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\fr-FR" /a2⤵PID:1924
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\fr-FR" /grant Administrators:F2⤵PID:1040
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\it-IT" /a2⤵
- Possible privilege escalation attempt
PID:628
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\it-IT" /grant Administrators:F2⤵PID:2504
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\ja-JP" /a2⤵PID:2572
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\ja-JP" /grant Administrators:F2⤵PID:1912
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell" /a2⤵PID:1892
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell" /grant Administrators:F2⤵
- Possible privilege escalation attempt
PID:280
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe" /a2⤵PID:2944
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe" /grant Administrators:F2⤵PID:1952
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\de-DE" /a2⤵PID:2452
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\de-DE" /grant Administrators:F2⤵PID:2756
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\en-US" /a2⤵PID:2524
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\en-US" /grant Administrators:F2⤵PID:2668
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\es-ES" /a2⤵PID:2276
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\es-ES" /grant Administrators:F2⤵PID:1044
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\fr-FR" /a2⤵PID:2320
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\fr-FR" /grant Administrators:F2⤵PID:1864
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\it-IT" /a2⤵PID:2540
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\it-IT" /grant Administrators:F2⤵PID:2636
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\ja-JP" /a2⤵PID:2240
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\ja-JP" /grant Administrators:F2⤵PID:2704
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts" /a2⤵PID:292
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts" /grant Administrators:F2⤵PID:1148
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\Hearts.exe" /a2⤵PID:2900
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\Hearts.exe" /grant Administrators:F2⤵PID:1828
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\de-DE" /a2⤵PID:2316
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\de-DE" /grant Administrators:F2⤵PID:2232
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\en-US" /a2⤵PID:1188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\en-US" /grant Administrators:F2⤵PID:1548
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\es-ES" /a2⤵PID:2268
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\es-ES" /grant Administrators:F2⤵PID:2628
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\fr-FR" /a2⤵PID:1520
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\fr-FR" /grant Administrators:F2⤵
- Modifies file permissions
PID:2580
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\it-IT" /a2⤵PID:1264
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\it-IT" /grant Administrators:F2⤵PID:2948
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\ja-JP" /a2⤵PID:1684
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\ja-JP" /grant Administrators:F2⤵PID:2564
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong" /a2⤵PID:1812
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong" /grant Administrators:F2⤵PID:2928
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe" /a2⤵PID:2188
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe" /grant Administrators:F2⤵PID:220
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\de-DE" /a2⤵PID:2944
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\de-DE" /grant Administrators:F2⤵PID:228
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\en-US" /a2⤵PID:2496
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\en-US" /grant Administrators:F2⤵PID:1792
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\es-ES" /a2⤵PID:2760
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\es-ES" /grant Administrators:F2⤵PID:1388
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\fr-FR" /a2⤵PID:2836
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\fr-FR" /grant Administrators:F2⤵PID:2828
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\it-IT" /a2⤵PID:792
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\it-IT" /grant Administrators:F2⤵PID:2840
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\ja-JP" /a2⤵PID:2528
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\ja-JP" /grant Administrators:F2⤵PID:2812
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Minesweeper" /a2⤵PID:904
-
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Minesweeper" /grant Administrators:F2⤵PID:2716
-
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe" /a2⤵PID:2276
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2412
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1020264431-198682286097509859611474364817466078312571576215688922891611071169"1⤵PID:2964
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2060244308-1447198888-134714123615032972713662249921177871786343029958-272766395"1⤵PID:3020
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1129219470-9427678277711365071491556729-264406895679422775-391994508986534737"1⤵PID:1964
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "79378034476773978915047519754405769711822335282-1840278576-511226265-1007893571"1⤵PID:1076
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10742083261712360046-1996917397-135557222715933442461476214018348966727701553605"1⤵PID:2160
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2030828690-2119576907-1969666075-1590690699-1267763765288778863-5016479532133333700"1⤵PID:324
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "11589051691543141266-886895634-1170798775310551164-17652724461146813928-1558253166"1⤵PID:864
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1334023202-1946927715-132825061-330222822-1145900093-11737144775732460881309254665"1⤵PID:2876
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2073278314-306771840-1674930658-1954377887-1889936495-1597384821440381622-1822862205"1⤵PID:3000
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-269208124-13277611551064250523-16782854691074138972-139634626-1385530637120118664"1⤵PID:340
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "141190602213024800301738831633-77484261718940227311473239422-1656747725-1565996298"1⤵PID:536
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1129342306-364274288-721160332-119057053010772022081724550303-1973210509-874582534"1⤵PID:2828
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "120637205021376097391240606925-875401499-2125245227469909456-1038919938-777189665"1⤵PID:2000
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-129070772711392266231428780591-1985757134-1875464387589945531335499161468024279"1⤵PID:1744
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19375190611709602918102609817-188560758113100777758026902351652312215-1589601787"1⤵PID:2480
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-211082842111080909562001282770-9908150621114655601905997645735422472448312137"1⤵PID:1208
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1631045300-1030274754-800227407-281516853-1481416792-207545719-187816311339730194"1⤵PID:2844
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1213105895-2319202655235103041660934847-56106329111484658201398821699-1758990037"1⤵PID:2824
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "850989745-1345979171972872754-358965890-947093450-218145216-913688393-622082430"1⤵PID:3020
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-380234281-119288691-50666999520147115341764993511-206874831986187627-2094857169"1⤵PID:2276
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1142749509-1007316584397510700128860671-506160005-166597021-988135943520351562"1⤵PID:2748
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2139283158123048859691886364-525397691-2717451201303305615756993128-118192331"1⤵PID:1032
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "10655809011025358551-1008891934-20113462751768226682448337947-9571651931889417432"1⤵PID:1524
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-124292481750213148-1036576954-151427800235903674811072387942099683917347879311"1⤵PID:1048
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1827023889-1632978856-741904852-1718608318-1158339514-1030706322-2008612203-173345587"1⤵PID:2248
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "828486554187392005890393507-7754536327587961313318869637346792751160644911"1⤵PID:2712
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-118633065919950048851549817547-280575928-21225411418684718422063394719-1404200056"1⤵PID:684
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-985222268-1560667851-90472478941177295321437794-52421303-562519961-1166900435"1⤵PID:2396
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2073627362-521312624-1461275090-1537821249-1178422099979577318-1132927109-395636685"1⤵PID:216
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-126688543015374959312276543731131481925-1813983866-14638265251570894811-652558750"1⤵PID:1804
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-94440802321019189671359302490-1092486004908115672-1419942096760413381348668174"1⤵PID:1764
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-296531495496293270-1865211953-1415769390471328778-2145710458-1698694652-246602647"1⤵PID:2168
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-8698157742083816030-11845083061250544337-1036463190-121530435616451480391209341386"1⤵PID:2680
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2136620645-18968693829200321441806849615-9217238376850891632113119695369464940"1⤵PID:292
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "540640473-187246296115612654961954423641-442714348-60010818-196678272766513937"1⤵PID:2144
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18961882799153670784091919051852233701880066938-19810220317376852081320657121"1⤵PID:1500
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1984363085-1133672187-7550193235539464621181332551166319989-646783062-545035286"1⤵PID:1752
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1115971225-766603585-1170261777-17474344081235765900803652639-8517294071257654520"1⤵PID:2248
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1654219341-1616431279-146935570-6244586831628481163-660127328-279511163-1019081646"1⤵PID:780
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "58522405577602317133675430-1404328109-3877967541488757584-1120592196-2146202315"1⤵PID:2908
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-8421884071494499206288234657-7007698801365877761333040293-316283963-568269561"1⤵PID:3052
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1146310997677289645-466853650-1311410719-1996016723-644945894-1605897664714866806"1⤵PID:1436
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "451996285-1556623029-20944338966876462651225088670-589366722-19376947741699347792"1⤵PID:1008
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "602613472-1179949672-1783170507812033504-60311356275806867-2992339901297977378"1⤵PID:2808
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "770141673200753350451443873-435075844128676763298448583-10652581031301417040"1⤵PID:2804
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-41850514766027698-1718047764-768399831-1918437502-252493950-2118343111313973739"1⤵PID:280
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3280655121687568609-407363838927584165-1899523413-52445826-1287129362488886426"1⤵PID:2736
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1966270048859263619-4248424181026325175-363126204760147315-15916409771796057363"1⤵PID:2852
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-128212118-616031365-381125382-429606285-1957709808-1905557778-1084449073-545449332"1⤵PID:1296
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1418465020-28640051119281629861241967526933051623-444603271-275906719440382104"1⤵PID:2620
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1161493952-920837354-406307463-21002958762012516992673627361-9829609461896340793"1⤵PID:324
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-731069341997826811-727506599-570600486-17209852529256268283051138371288518572"1⤵PID:1124
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18437775801562767320-2521954821550421949-141709312877442835-781410041-930357036"1⤵PID:2608
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "947330339-856295190-13466266651661794050-102863608111620662422072708326-1614644304"1⤵PID:1804
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1807161274-16913917091599502581754529306332960532967845418729430102-1222179088"1⤵PID:2652
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-48161652621206748591959183773-7040350211828805889590293522656425387-840959283"1⤵PID:2036
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "7389434131405901414929519824-6547286221699052437-1885690606-90231041373622665"1⤵PID:2816
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17890814251831036924469859260-610206940-116064705651007981113584350831423506569"1⤵PID:2076
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5a4e3ea70ddb99186cd285d84f27d2a22
SHA1f17165fe8274a0c5392a1d3b8320d5b0bd48b0ac
SHA25668116dab3db1fc61379b5fd3970f815438c7f96a90e8c32a21942872ec2268a0
SHA512d7853490db379f1e46cc7ea160698ca1f60bef5537fa2d1e65310135970336039b15df0a3ce892a84fa569334ad746db0b8a97303b696cddd59681238aee6460
-
Filesize
8.0MB
MD54608aa39a35e01dcf0c4477a36d81ff8
SHA1965b74f47ab88e061cf11e0ad870a19260196355
SHA2563a0f6002eea209a61720f1ab3b277b002f08ea2edab8ef9fb2a9e8aaf9bdc480
SHA512b4bb101e1254dae818997ee7cda6cf086bce214249cd5e88a09ef161e507b9ecbedea553be683ee400075619c4937bada6d0df60f04f6831c3e5cb0b3bb8587c
-
Filesize
360KB
MD5218e18002822b9a3f9fbb5b609f24a03
SHA1b50a0f3a9d2faf51278081a35f131035ad3860b6
SHA256e33aecf0678644129fd44a7711a50ca3e648bd92d2a2d9559145f2d3207e5f4e
SHA512e619f4a104def71c06e52a2a0b8a23dfddafec3cf7d7205217c38fc3a1d474aa8f7e0dc398d6b9b19a6eb272a092d3ae164e4fe763630994b90425ff6fa5480d
-
Filesize
8.0MB
MD5252fc4f2b841258f9aa9e264f75e63b6
SHA1ad4aa9148c9bbdcc410b001afc41d48164375c66
SHA256b475c5310847808ff3ea3bd88bdcef0428dc4cbe08a395264f980b36df056bcb
SHA512c7b1959c05589f0c21bacf67cbcaf6fcf1196cd93100dbbba1c92c2090331252db04f6f0f4d2da439174a17f8f4712f82c5ad9d77564e386cd600ae131fc17d3
-
Filesize
8.0MB
MD5fad38087fe1a97999263e36b6a8d2c67
SHA1c5adb47c781d7d8c2ca33d3d62b5e5db6a96eb8b
SHA2567d352de779100bc15c52326b54dd7c67c55a120294e0fb21f1e52c90448dda5e
SHA5124016cad19c726382936c2f5661552eb59703fa500b4b7bca004e762dd2c763a674375f1eee76b6d62e305ae50db5af6b9c0cace4f005c2b9e44733373ab6f82c
-
Filesize
8.0MB
MD5136226073a4ec8cc5b987f7dc385aa6c
SHA1f15f0ea3bf9bc327825c65c768b14d98fa06838e
SHA256d3c74a23b3117b8dcaf591cbf21bc41e9d1c3461183c79adc36ab81b888d9cf2
SHA5125a7160a41ab2d3addedb9290a1c43dd115488c907822b383d3b08fc09fd07f427bf171a48ce6b78d72251a183d0591318bc24f8adcc7ab78643650fbc2f81dad
-
Filesize
8.0MB
MD5f4bfa8248559fb2723a9cc1ea41fcd59
SHA1a0da0e1ee0d89a4d8840b99df91d99d7272d3ae4
SHA2562382f0f37600ff99fc7a49c03a95e05d375ce30c9a381cc1e1c099f4a3848f3d
SHA5129b9faff53a1fa0df145b68eac31835b843b1aaf8319117c24eb769139cbef98d324c51e9ec3ab9ec5a030d99c84489b3930a54c70c3914a40792358550e65bd0
-
Filesize
8.0MB
MD5ba40b57847d2054d6feb48f681e77e81
SHA19167e56eda8c8889f699e0786e5b3d04965790e6
SHA256da348b9515a2cd3952ab551b99bb10100ace0a1747c9712908071cc56427cf25
SHA512a5763b9caef5fc051a2f5ca8ed5febae3741a3ac47bb94238f722c2a90758ee3dfa4bc9b86be984493a7660eb6198ab326fb04a5ff56b397ce1bd94feb5734f8
-
Filesize
60KB
MD5422d954e544f8023c83b70ad479bb093
SHA1a73a997477c45fd9f7bea39bcffaf997a282276b
SHA2563d3b5eba79d784945866d18b04827c61ba5268a4e6cce1776e4c3d4140e1d67a
SHA512cd3f8056b71f63c84f3b0a9e68a5af36444fff30307797af5bebe9f934c0bee63407d87f75d97ac214e372d7aac993b948d4174bb8da49366dae80f68943e6ba
-
Filesize
8.0MB
MD5da573956332359eab268e138ec551dd0
SHA128a0d411256b71748e698c64756d6c69a3fd83fb
SHA2563f343d0cb5322fa012e87ad20afec309d3e10040d1234a27f41f19468f3aeb65
SHA512648ec41b1c69401dc8f34cb88e2013c1a826e1700c670a01f0196a4f5162b7d5705b831e1368c3793e11058171bef446584deb778c4db87f21c5f4c669ebb4db
-
Filesize
8.0MB
MD5185d41f11da719a9ae05c7d66c488c1b
SHA16fab72d2af4b7b00bbd769b0b56c644b7afc9aec
SHA25645e3bf8afdada24f4981887cfe5600bc2e6ba465294c82831a5a1c21eb719d07
SHA5123202494e6c306fc5c35a1c84cfa5a058d141f0bc3cdcf0adf475fef9126c353a6dbf49b855128b8b461697ccdd2b0641ef24886f3977391a4231139ff1de1c33
-
Filesize
2.3MB
MD53709e38da835925d599aaff6bc1bed8c
SHA1290ff284eae93cd3938b742ef7f02fc4aaf54ff0
SHA256d1bb56f383bb44eb830236d42bcb3a5ade8745ff2834f0351de4d824384ee957
SHA512218e38eaa881b340666a72655e59dc9b782fe382dcf3a375983ff2c1ffb67880a095936f84b8e00c37f12343a5d702dfe028c8ab91de1a78c4ed7c4c567f77e7
-
Filesize
3.2MB
MD56f6cb66e60316d58d6e7b1c14bb98766
SHA1145ceb75c961b9c065fc97de4d60836b17e1f9b8
SHA25649f54f2b998ab2d60c62b016d8b000ced38e4a6a108dc78ee9af08a6f6a3eb18
SHA512ff3fd0e49f47ed313951f80312be44b8c66a403fb4b889eab5a691efe51d57e0039dd2a8a67e5a8deb7230d647f69571e5840c691df0dff7d75c3ee1fcf10e52
-
Filesize
215KB
MD50c093f7a8db1482126becc8c8ac4df2a
SHA1df02a35c352136400ca434f2a3704a16a6bad237
SHA256005bd0e6967d01a4ca22c9b5fbd8d60b57f582481b5be1c344d4b9983f37e79c
SHA512c8b7e48464872b3cf6cd91ddf507c0364a022aaffc8642f0eebba6da9069308707631d4659e7479b8947db0d38b152450f9eaf3aaef30f56a71e6152f3af9b71
-
Filesize
963KB
MD56b904bdca812da9e4978546a29aa8e6e
SHA1cf7f96feefb3e7bc42147fa99e88d8757f8fce5c
SHA2565942838a772b71b7800fb7916908bb2a9557660f2643d3ee0c6465ecc3a73b33
SHA512ce6ef49ba62bca86c9514fb5a5338d21398cc744ec47c9e526ed9606a098ac04361e33216a0bd46b9fcabeefa25ee6260d94aef0e824541bf92cdaa7a594f471
-
Filesize
307KB
MD5f1a9b4b1f750bb90b7240f38aa3fd939
SHA14d630bd6b89f4ba0315ed37035d5e32775a7b969
SHA2567cc9be747a138d8b9e716ee5f16188215b730af91d9fe954d8e172f515f5b498
SHA512e4d6eea0e415d27f39224af29cef84bd55fb098b06c7aaee38d6eac34621ca3585bbae0d2fc2938bbe5755fd6d3bbbf47f9c4bc29a6e6914f761c1c76e4a107f
-
Filesize
4KB
MD57df14f970f590c0b23bb134d888278bc
SHA12ee7658c0066f70f196ffd38683a0e948f128ace
SHA256f578d34366cc6c7ed83aa3da2d4e086348ef87c7f6584180a2db0a07cf417c1e
SHA512c1ea6e6f4be80c8fd9745bdc99022b4966ed74487cb11a3f10d4c4f9c5cf711062a2470f192e0a2e73b653497bfaee75f74ecbcbf97e6f3e205a61d45ea975fc
-
Filesize
57KB
MD5cf45949cdbb39c953331cdcb9cec20f8
SHA16756f752141602424af234433dadedc12520165d
SHA25634df739526c114bb89470b3b650946cbf7335cb4a2206489534fb05c1fc143a8
SHA512b699b406bb4df8c6fb6339219ab1feaa5c7b2c39082d3761689e9b5326e52861bb8e2770d683838b05e649ff2022f413dc1e3f7e605a03077190f8950f9442be