9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d

Resubmissions

28/03/2025, 14:59

250328-sc4wsazjx2 10

28/03/2025, 14:53

250328-r9rr2sxwbz 10

27/03/2025, 13:35

250327-qvr9laswew 10

Analysis

max time kernel
36s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JKT48.exe
Size

8.0MB
MD5

41f5bac802f5e79dc2ca7a3db25d0001
SHA1

ce56c42cadd2db13edf03c15ce3b11c2cfa00f9e
SHA256

9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d
SHA512

94705e83ce1b104954be07210ea3648c7403a6dd86ebaf6e884ced1552636b6a05a3b2926415d6c49ff251a675815435e4b2a3c8f816bbbf68c08c3299db99ab
SSDEEP

196608:PF35AX/ip4e/aS3e+gr80KILDjhoOX9oeqZ8r8swzH0e:d3KX/o4eSTr80xHhJ8s63

Score

10^/10

bootkit defense_evasion discovery evasion execution exploit impact persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	JKT48.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	JKT48.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 32 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe\Debugger = "*/"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
1960	Process not Found
2720	Process not Found
1044	Process not Found
3004	Process not Found
2844	takeown.exe
2104	icacls.exe
1272	icacls.exe
3040	Process not Found
1764	Process not Found
1072	icacls.exe
1736	takeown.exe
2668	icacls.exe
920	Process not Found
1684	icacls.exe
2848	takeown.exe
2604	icacls.exe
2972	takeown.exe
2400	icacls.exe
204	takeown.exe
628	takeown.exe
2276	takeown.exe
976	Process not Found
2784	Process not Found
852	icacls.exe
2188	icacls.exe
972	Process not Found
320	Process not Found
852	Process not Found
1516	icacls.exe
1516	Process not Found
576	Process not Found
1388	Process not Found
2124	Process not Found
2180	takeown.exe
936	takeown.exe
2444	Process not Found
1032	Process not Found
2804	Process not Found
972	Process not Found
1008	takeown.exe
1048	Process not Found
1768	Process not Found
852	icacls.exe
1952	Process not Found
576	Process not Found
2524	Process not Found
2200	Process not Found
1348	icacls.exe
2876	takeown.exe
216	Process not Found
888	Process not Found
1332	takeown.exe
2344	icacls.exe
2344	icacls.exe
280	icacls.exe
2856	Process not Found
608	Process not Found
1308	icacls.exe
2688	takeown.exe
1252	icacls.exe
2156	Process not Found
2916	Process not Found
2288	Process not Found
2564	icacls.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2964	takeown.exe
2460	takeown.exe
2580	icacls.exe
1080	Process not Found
1816	Process not Found
2880	Process not Found
2444	icacls.exe
2788	takeown.exe
1636	takeown.exe
2056	Process not Found
2824	Process not Found
2276	Process not Found
2232	Process not Found
2876	Process not Found
1540	Process not Found
1296	Process not Found
576	Process not Found
1752	Process not Found
1852	Process not Found
604	Process not Found
2524	Process not Found
2044	Process not Found
1960	Process not Found
1136	Process not Found
1276	Process not Found
576	Process not Found
2680	Process not Found
1520	takeown.exe
2736	Process not Found
3040	Process not Found
1708	Process not Found
2756	Process not Found
2292	Process not Found
1860	Process not Found
2928	takeown.exe
1600	Process not Found
324	Process not Found
2848	takeown.exe
1124	Process not Found
584	Process not Found
1708	Process not Found
1188	Process not Found
628	Process not Found
1912	Process not Found
1124	takeown.exe
1748	Process not Found
2372	takeown.exe
3040	icacls.exe
2372	takeown.exe
2308	takeown.exe
1908	Process not Found
2008	Process not Found
1708	Process not Found
2528	Process not Found
2056	takeown.exe
576	Process not Found
1632	Process not Found
2740	Process not Found
2280	Process not Found
2092	icacls.exe
2044	takeown.exe
340	takeown.exe
1284	icacls.exe
1124	Process not Found

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JKT48.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\windows\system32\msconfig.exe	JKT48.exe
File created	C:\windows\system32\resmon.exe	JKT48.exe
File created	C:\windows\system32\logonui.exe	JKT48.exe
File created	C:\windows\system32\rundll32.exe	JKT48.exe
File created	C:\windows\system32\winload.exe	JKT48.exe
File created	C:\windows\syswow64\sfc.exe	JKT48.exe
File created	C:\windows\system32\reg.exe	JKT48.exe
File created	C:\windows\system32\utilman.exe	JKT48.exe
File created	C:\windows\system32\taskkill.exe	JKT48.exe
File created	C:\windows\system32\ntoskrnl.exe	JKT48.exe
File created	C:\windows\syswow64\cmd.exe	JKT48.exe
File created	C:\windows\system32\perfmon.msc	JKT48.exe
File created	C:\windows\syswow64\utilman.exe	JKT48.exe
File created	C:\windows\system32\sfc.exe	JKT48.exe
File created	C:\windows\syswow64\regedit.exe	JKT48.exe
File created	C:\windows\syswow64\taskmgr.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.msc	JKT48.exe
File created	C:\windows\syswow64\taskkill.exe	JKT48.exe
File created	C:\windows\system32\taskmgr.exe	JKT48.exe
File created	C:\windows\system32\rstrui.exe	JKT48.exe
File created	C:\windows\syswow64\rundll32.exe	JKT48.exe
File created	C:\windows\syswow64\reg.exe	JKT48.exe
File created	C:\windows\syswow64\sethc.exe	JKT48.exe
File created	C:\windows\system32\cmd.exe	JKT48.exe
File created	C:\windows\system32\sethc.exe	JKT48.exe
File created	C:\windows\system32\perfmon.exe	JKT48.exe
File created	C:\windows\system32\hal.dll	JKT48.exe
File created	C:\windows\syswow64\resmon.exe	JKT48.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXF012.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\991912613	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXF11E.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\RCX1F61.tmp	JKT48.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\798813612	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\RCX208B.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\RCX1527.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\118706439	JKT48.exe
File created	C:\Program Files\Internet Explorer\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Games\FreeCell\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\RCX1F60.tmp	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCXD76F.tmp	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Games\Mahjong\701141344	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\RCX232E.tmp	JKT48.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\RCX1A3D.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\RCX1E08.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\397043303	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\479586257	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\RCXF239.tmp	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Games\Purble Place\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\991912613	JKT48.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\RCX1A3C.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\RCX18B5.tmp	JKT48.exe
File created	C:\Program Files\Microsoft Games\Solitaire\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\53704421	JKT48.exe
File created	C:\Program Files\Microsoft Games\Hearts\251091652	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\RCX1DF7.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\7-Zip\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXF023.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\RCX173C.tmp	JKT48.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\809631780	JKT48.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\118706439	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXF11D.tmp	JKT48.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\60064185	JKT48.exe
File opened for modification	C:\Program Files\DVD Maker\RCXEB01.tmp	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\886140162	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\262114476	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\RCX24E5.tmp	JKT48.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\RCX1528.tmp	JKT48.exe
File created	C:\Program Files\Microsoft Games\Hearts\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\msvcp120ex.dll	JKT48.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\servicing\trustedinstaller.exe	JKT48.exe
File created	C:\windows\regedit.exe	JKT48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2432	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1780	JKT48.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	JKT48.exe
Token: SeDebugPrivilege	1780	JKT48.exe
Token: SeIncBasePriorityPrivilege	1780	JKT48.exe
Token: SeTakeOwnershipPrivilege	1992	takeown.exe
Token: SeTakeOwnershipPrivilege	2012	takeown.exe
Token: SeTakeOwnershipPrivilege	1852	takeown.exe
Token: SeTakeOwnershipPrivilege	3020	takeown.exe
Token: SeTakeOwnershipPrivilege	780	takeown.exe
Token: SeTakeOwnershipPrivilege	2676	takeown.exe
Token: SeTakeOwnershipPrivilege	2164	takeown.exe
Token: SeTakeOwnershipPrivilege	2680	takeown.exe
Token: SeTakeOwnershipPrivilege	2608	takeown.exe
Token: SeTakeOwnershipPrivilege	1640	takeown.exe
Token: SeTakeOwnershipPrivilege	920	takeown.exe
Token: SeTakeOwnershipPrivilege	2148	takeown.exe
Token: SeTakeOwnershipPrivilege	2724	takeown.exe
Token: SeTakeOwnershipPrivilege	2732	takeown.exe
Token: SeTakeOwnershipPrivilege	2804	takeown.exe
Token: SeTakeOwnershipPrivilege	2376	takeown.exe
Token: SeTakeOwnershipPrivilege	1124	takeown.exe
Token: SeTakeOwnershipPrivilege	1640	takeown.exe
Token: SeTakeOwnershipPrivilege	1332	takeown.exe
Token: SeTakeOwnershipPrivilege	448	takeown.exe
Token: SeTakeOwnershipPrivilege	1524	takeown.exe
Token: SeTakeOwnershipPrivilege	2300	takeown.exe
Token: SeTakeOwnershipPrivilege	1764	takeown.exe
Token: SeTakeOwnershipPrivilege	2120	takeown.exe
Token: SeTakeOwnershipPrivilege	328	takeown.exe
Token: SeTakeOwnershipPrivilege	1916	takeown.exe
Token: SeTakeOwnershipPrivilege	1692	takeown.exe
Token: SeTakeOwnershipPrivilege	2692	takeown.exe
Token: SeTakeOwnershipPrivilege	2508	takeown.exe
Token: SeTakeOwnershipPrivilege	2276	takeown.exe
Token: SeTakeOwnershipPrivilege	2900	takeown.exe
Token: SeTakeOwnershipPrivilege	2904	takeown.exe
Token: SeTakeOwnershipPrivilege	2372	takeown.exe
Token: SeTakeOwnershipPrivilege	2924	takeown.exe
Token: SeTakeOwnershipPrivilege	1808	takeown.exe
Token: SeTakeOwnershipPrivilege	1480	takeown.exe
Token: SeTakeOwnershipPrivilege	2036	takeown.exe
Token: SeTakeOwnershipPrivilege	536	takeown.exe
Token: SeTakeOwnershipPrivilege	1440	takeown.exe
Token: SeTakeOwnershipPrivilege	1080	takeown.exe
Token: SeTakeOwnershipPrivilege	740	takeown.exe
Token: SeTakeOwnershipPrivilege	604	takeown.exe
Token: SeTakeOwnershipPrivilege	2268	takeown.exe
Token: SeTakeOwnershipPrivilege	1544	takeown.exe
Token: SeTakeOwnershipPrivilege	756	takeown.exe
Token: SeTakeOwnershipPrivilege	2972	takeown.exe
Token: SeTakeOwnershipPrivilege	864	takeown.exe
Token: SeTakeOwnershipPrivilege	2448	takeown.exe
Token: SeTakeOwnershipPrivilege	1788	takeown.exe
Token: SeTakeOwnershipPrivilege	2132	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	2152	takeown.exe
Token: SeTakeOwnershipPrivilege	2992	takeown.exe
Token: SeTakeOwnershipPrivilege	308	takeown.exe
Token: SeTakeOwnershipPrivilege	1812	takeown.exe
Token: SeTakeOwnershipPrivilege	2896	takeown.exe
Token: SeTakeOwnershipPrivilege	2580	takeown.exe
Token: SeTakeOwnershipPrivilege	2904	takeown.exe
Token: SeTakeOwnershipPrivilege	1140	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2324	takeown.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe
1780	JKT48.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2536	1780	JKT48.exe	30
PID 1780 wrote to memory of 2536	1780	JKT48.exe	30
PID 1780 wrote to memory of 2536	1780	JKT48.exe	30
PID 1780 wrote to memory of 2828	1780	JKT48.exe	32
PID 1780 wrote to memory of 2828	1780	JKT48.exe	32
PID 1780 wrote to memory of 2828	1780	JKT48.exe	32
PID 1780 wrote to memory of 1864	1780	JKT48.exe	34
PID 1780 wrote to memory of 1864	1780	JKT48.exe	34
PID 1780 wrote to memory of 1864	1780	JKT48.exe	34
PID 1780 wrote to memory of 2864	1780	JKT48.exe	36
PID 1780 wrote to memory of 2864	1780	JKT48.exe	36
PID 1780 wrote to memory of 2864	1780	JKT48.exe	36
PID 1780 wrote to memory of 2848	1780	JKT48.exe	38
PID 1780 wrote to memory of 2848	1780	JKT48.exe	38
PID 1780 wrote to memory of 2848	1780	JKT48.exe	38
PID 1780 wrote to memory of 2728	1780	JKT48.exe	40
PID 1780 wrote to memory of 2728	1780	JKT48.exe	40
PID 1780 wrote to memory of 2728	1780	JKT48.exe	40
PID 1780 wrote to memory of 2904	1780	JKT48.exe	42
PID 1780 wrote to memory of 2904	1780	JKT48.exe	42
PID 1780 wrote to memory of 2904	1780	JKT48.exe	42
PID 1780 wrote to memory of 2748	1780	JKT48.exe	44
PID 1780 wrote to memory of 2748	1780	JKT48.exe	44
PID 1780 wrote to memory of 2748	1780	JKT48.exe	44
PID 1780 wrote to memory of 2784	1780	JKT48.exe	46
PID 1780 wrote to memory of 2784	1780	JKT48.exe	46
PID 1780 wrote to memory of 2784	1780	JKT48.exe	46
PID 1780 wrote to memory of 2640	1780	JKT48.exe	48
PID 1780 wrote to memory of 2640	1780	JKT48.exe	48
PID 1780 wrote to memory of 2640	1780	JKT48.exe	48
PID 1780 wrote to memory of 3056	1780	JKT48.exe	50
PID 1780 wrote to memory of 3056	1780	JKT48.exe	50
PID 1780 wrote to memory of 3056	1780	JKT48.exe	50
PID 1780 wrote to memory of 2136	1780	JKT48.exe	52
PID 1780 wrote to memory of 2136	1780	JKT48.exe	52
PID 1780 wrote to memory of 2136	1780	JKT48.exe	52
PID 1780 wrote to memory of 1992	1780	JKT48.exe	54
PID 1780 wrote to memory of 1992	1780	JKT48.exe	54
PID 1780 wrote to memory of 1992	1780	JKT48.exe	54
PID 1780 wrote to memory of 1092	1780	JKT48.exe	56
PID 1780 wrote to memory of 1092	1780	JKT48.exe	56
PID 1780 wrote to memory of 1092	1780	JKT48.exe	56
PID 1780 wrote to memory of 2812	1780	JKT48.exe	58
PID 1780 wrote to memory of 2812	1780	JKT48.exe	58
PID 1780 wrote to memory of 2812	1780	JKT48.exe	58
PID 1780 wrote to memory of 976	1780	JKT48.exe	60
PID 1780 wrote to memory of 976	1780	JKT48.exe	60
PID 1780 wrote to memory of 976	1780	JKT48.exe	60
PID 1780 wrote to memory of 2788	1780	JKT48.exe	62
PID 1780 wrote to memory of 2788	1780	JKT48.exe	62
PID 1780 wrote to memory of 2788	1780	JKT48.exe	62
PID 1780 wrote to memory of 2580	1780	JKT48.exe	64
PID 1780 wrote to memory of 2580	1780	JKT48.exe	64
PID 1780 wrote to memory of 2580	1780	JKT48.exe	64
PID 1780 wrote to memory of 2916	1780	JKT48.exe	66
PID 1780 wrote to memory of 2916	1780	JKT48.exe	66
PID 1780 wrote to memory of 2916	1780	JKT48.exe	66
PID 1780 wrote to memory of 2012	1780	JKT48.exe	68
PID 1780 wrote to memory of 2012	1780	JKT48.exe	68
PID 1780 wrote to memory of 2012	1780	JKT48.exe	68
PID 1780 wrote to memory of 1224	1780	JKT48.exe	70
PID 1780 wrote to memory of 1224	1780	JKT48.exe	70
PID 1780 wrote to memory of 1224	1780	JKT48.exe	70
PID 1780 wrote to memory of 1756	1780	JKT48.exe	72

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JKT48.exe
"C:\Users\Admin\AppData\Local\Temp\JKT48.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin" /a
  2⤵
  PID:2536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin" /grant Administrators:F
  2⤵
  PID:2828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000" /a
  2⤵
  PID:1864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000" /grant Administrators:F
  2⤵
  PID:2864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Documents and Settings" /a
  2⤵
  PID:2848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Documents and Settings" /grant Administrators:F
  2⤵
  PID:2728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache" /a
  2⤵
  PID:2904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache" /grant Administrators:F
  2⤵
  PID:2748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users" /a
  2⤵
  PID:2784
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users" /grant Administrators:F
  2⤵
  PID:2640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /a
  2⤵
  PID:3056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2136
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\cmd.exe" /grant Administrators:F
  2⤵
  PID:1092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /a
  2⤵
  PID:2812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe" /grant Administrators:F
  2⤵
  PID:976
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /a
  2⤵
  PID:2916
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\regedit.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" /grant Administrators:F
  2⤵
  PID:1224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\regedit.exe" /grant Administrators:F
  2⤵
  PID:1756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2068
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /a
  2⤵
  PID:2196
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\reg.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi" /grant Administrators:F
  2⤵
  PID:3000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\reg.exe" /grant Administrators:F
  2⤵
  PID:2332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /a
  2⤵
  PID:1768
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" /grant Administrators:F
  2⤵
  PID:544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskmgr.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskmgr.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2564
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1328
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /a
  2⤵
  PID:1612
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" /grant Administrators:F
  2⤵
  PID:1604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\msconfig.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\msconfig.exe" /grant Administrators:F
  2⤵
  PID:308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2852
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /a
  2⤵
  PID:2716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" /grant Administrators:F
  2⤵
  PID:2728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2612
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\utilman.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\utilman.exe" /grant Administrators:F
  2⤵
  PID:2652
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /a
  2⤵
  PID:852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi" /grant Administrators:F
  2⤵
  PID:1828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /a
  2⤵
  PID:1912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en" /grant Administrators:F
  2⤵
  PID:1724
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /a
  2⤵
  PID:1640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" /grant Administrators:F
  2⤵
  PID:1124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sethc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /a
  2⤵
  PID:2708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sethc.exe" /grant Administrators:F
  2⤵
  PID:2032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es" /grant Administrators:F
  2⤵
  PID:2324
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /a
  2⤵
  PID:2452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" /grant Administrators:F
  2⤵
  PID:2180
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /a
  2⤵
  PID:1816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr" /grant Administrators:F
  2⤵
  PID:1320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.exe" /grant Administrators:F
  2⤵
  PID:2988
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /a
  2⤵
  PID:1752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi" /grant Administrators:F
  2⤵
  PID:2188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:756
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:328
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /a
  2⤵
  PID:2564
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi" /grant Administrators:F
  2⤵
  PID:380
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.msc" /a
  2⤵
  PID:2228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.msc" /grant Administrators:F
  2⤵
  PID:3040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:2356
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:2876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\resmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /a
  2⤵
  PID:2124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\resmon.exe" /grant Administrators:F
  2⤵
  PID:1812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi" /grant Administrators:F
  2⤵
  PID:2748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:1092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /a
  2⤵
  PID:2912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" /grant Administrators:F
  2⤵
  PID:2788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /a
  2⤵
  PID:1908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\logonui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033" /grant Administrators:F
  2⤵
  PID:2956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\logonui.exe" /grant Administrators:F
  2⤵
  PID:2232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /a
  2⤵
  PID:688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /a
  2⤵
  PID:1892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi" /grant Administrators:F
  2⤵
  PID:448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /a
  2⤵
  PID:1284
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi" /grant Administrators:F
  2⤵
  PID:1988
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /a
  2⤵
  PID:680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskkill.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskkill.exe" /grant Administrators:F
  2⤵
  PID:2120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C" /grant Administrators:F
  2⤵
  PID:1768
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /a
  2⤵
  PID:2928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi" /grant Administrators:F
  2⤵
  PID:1956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rundll32.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rundll32.exe" /grant Administrators:F
  2⤵
  PID:2564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /a
  2⤵
  PID:1596
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us" /grant Administrators:F
  2⤵
  PID:2408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /a
  2⤵
  PID:2076
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi" /grant Administrators:F
  2⤵
  PID:2504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs" /a
  2⤵
  PID:2880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs" /grant Administrators:F
  2⤵
  PID:2816
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs\Admin" /a
  2⤵
  PID:2728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs\Admin" /grant Administrators:F
  2⤵
  PID:2636
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rstrui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rstrui.exe" /grant Administrators:F
  2⤵
  PID:2876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files" /grant Administrators:F
  2⤵
  PID:1808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sfc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sfc.exe" /grant Administrators:F
  2⤵
  PID:1804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip" /a
  2⤵
  PID:2896
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip" /grant Administrators:F
  2⤵
  PID:488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\7z.exe" /a
  2⤵
  PID:1488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\winload.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\7z.exe" /grant Administrators:F
  2⤵
  PID:1912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\Lang" /a
  2⤵
  PID:2952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\winload.exe" /grant Administrators:F
  2⤵
  PID:1080
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\Lang" /grant Administrators:F
  2⤵
  PID:1228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files" /grant Administrators:F
  2⤵
  PID:2964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared" /grant Administrators:F
  2⤵
  PID:1532
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Filters" /a
  2⤵
  PID:2032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Filters" /grant Administrators:F
  2⤵
  PID:2448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink" /grant Administrators:F
  2⤵
  PID:2452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\ntoskrnl.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\ntoskrnl.exe" /grant Administrators:F
  2⤵
  PID:1208
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe" /grant Administrators:F
  2⤵
  PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA" /grant Administrators:F
  2⤵
  PID:1748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\hal.dll" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG" /grant Administrators:F
  2⤵
  PID:920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\hal.dll" /grant Administrators:F
  2⤵
  PID:1272
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ" /grant Administrators:F
  2⤵
  PID:752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK" /grant Administrators:F
  2⤵
  PID:1604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE" /grant Administrators:F
  2⤵
  PID:2132
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR" /grant Administrators:F
  2⤵
  PID:1736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\servicing\trustedinstaller.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\en-US" /grant Administrators:F
  2⤵
  PID:2848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\servicing\trustedinstaller.exe" /grant Administrators:F
  2⤵
  PID:2836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES" /grant Administrators:F
  2⤵
  PID:2620
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE" /grant Administrators:F
  2⤵
  PID:1660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI" /grant Administrators:F
  2⤵
  PID:1372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR" /grant Administrators:F
  2⤵
  PID:796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions" /grant Administrators:F
  2⤵
  PID:844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\cmd.exe" /grant Administrators:F
  2⤵
  PID:2444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad" /grant Administrators:F
  2⤵
  PID:1224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad" /grant Administrators:F
  2⤵
  PID:2496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\regedit.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\regedit.exe" /grant Administrators:F
  2⤵
  PID:304
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main" /grant Administrators:F
  2⤵
  PID:2244
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers" /grant Administrators:F
  2⤵
  PID:1388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu" /grant Administrators:F
  2⤵
  PID:2488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad" /grant Administrators:F
  2⤵
  PID:1672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred" /grant Administrators:F
  2⤵
  PID:1856
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\reg.exe" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols" /grant Administrators:F
  2⤵
  PID:2928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\reg.exe" /grant Administrators:F
  2⤵
  PID:2892
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web" /grant Administrators:F
  2⤵
  PID:448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR" /grant Administrators:F
  2⤵
  PID:2532
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU" /grant Administrators:F
  2⤵
  PID:2504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskmgr.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:2944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization" /grant Administrators:F
  2⤵
  PID:2508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT" /grant Administrators:F
  2⤵
  PID:2616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP" /grant Administrators:F
  2⤵
  PID:3056
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:852
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT" /grant Administrators:F
  2⤵
  PID:296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\utilman.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\utilman.exe" /grant Administrators:F
  2⤵
  PID:796
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV" /grant Administrators:F
  2⤵
  PID:904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO" /grant Administrators:F
  2⤵
  PID:2912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL" /grant Administrators:F
  2⤵
  PID:2260
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /a
  2⤵
  PID:688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR" /grant Administrators:F
  2⤵
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /a
  2⤵
  PID:3000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.exe" /a
  2⤵
  PID:2588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.exe" /grant Administrators:F
  2⤵
  PID:940
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT" /grant Administrators:F
  2⤵
  PID:1284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /a
  2⤵
  PID:2308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO" /grant Administrators:F
  2⤵
  PID:1484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /a
  2⤵
  PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU" /grant Administrators:F
  2⤵
  PID:2204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /a
  2⤵
  PID:1080
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK" /grant Administrators:F
  2⤵
  PID:604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /a
  2⤵
  PID:1036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI" /grant Administrators:F
  2⤵
  PID:2280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /a
  2⤵
  PID:876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS" /grant Administrators:F
  2⤵
  PID:1712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.msc" /a
  2⤵
  PID:2452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /a
  2⤵
  PID:3048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.msc" /grant Administrators:F
  2⤵
  PID:2400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE" /grant Administrators:F
  2⤵
  PID:2824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /a
  2⤵
  PID:3040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH" /grant Administrators:F
  2⤵
  PID:2720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /a
  2⤵
  PID:2852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR" /grant Administrators:F
  2⤵
  PID:448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /a
  2⤵
  PID:1788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA" /grant Administrators:F
  2⤵
  PID:2228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /a
  2⤵
  PID:2828
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN" /grant Administrators:F
  2⤵
  PID:2820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /a
  2⤵
  PID:2624
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\resmon.exe" /a
  2⤵
  PID:324
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW" /grant Administrators:F
  2⤵
  PID:2920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\resmon.exe" /grant Administrators:F
  2⤵
  PID:488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /a
  2⤵
  PID:1052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /grant Administrators:F
  2⤵
  PID:1144
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /a
  2⤵
  PID:332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /grant Administrators:F
  2⤵
  PID:1044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /a
  2⤵
  PID:2012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE" /grant Administrators:F
  2⤵
  PID:2904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /a
  2⤵
  PID:1812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US" /grant Administrators:F
  2⤵
  PID:1912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sethc.exe" /a
  2⤵
  PID:2964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /a
  2⤵
  PID:2056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sethc.exe" /grant Administrators:F
  2⤵
  PID:2804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES" /grant Administrators:F
  2⤵
  PID:1308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /a
  2⤵
  PID:1892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR" /grant Administrators:F
  2⤵
  PID:2460
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /a
  2⤵
  PID:2592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT" /grant Administrators:F
  2⤵
  PID:1960
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /a
  2⤵
  PID:2248
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP" /grant Administrators:F
  2⤵
  PID:1048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /a
  2⤵
  PID:1500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14" /grant Administrators:F
  2⤵
  PID:1284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskkill.exe" /a
  2⤵
  PID:1080
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /a
  2⤵
  PID:1688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskkill.exe" /grant Administrators:F
  2⤵
  PID:2480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /grant Administrators:F
  2⤵
  PID:3028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /a
  2⤵
  PID:2116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures" /grant Administrators:F
  2⤵
  PID:1076
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /a
  2⤵
  PID:2280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform" /grant Administrators:F
  2⤵
  PID:604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sfc.exe" /a
  2⤵
  PID:1436
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sfc.exe" /grant Administrators:F
  2⤵
  PID:2564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /a
  2⤵
  PID:2092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" /grant Administrators:F
  2⤵
  PID:2504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Stationery" /a
  2⤵
  PID:2692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Stationery" /grant Administrators:F
  2⤵
  PID:2508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv" /a
  2⤵
  PID:2320
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv" /grant Administrators:F
  2⤵
  PID:2748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /a
  2⤵
  PID:2808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE" /grant Administrators:F
  2⤵
  PID:2732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /a
  2⤵
  - Modifies file permissions
  PID:2044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\rundll32.exe" /a
  2⤵
  PID:1372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US" /grant Administrators:F
  2⤵
  PID:2876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\rundll32.exe" /grant Administrators:F
  2⤵
  PID:2788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /a
  2⤵
  PID:1608
- C:\windows\system32\vssadmin.exe
  "C:\windows\system32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES" /grant Administrators:F
  2⤵
  PID:1052
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /a
  2⤵
  PID:296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR" /grant Administrators:F
  2⤵
  PID:2904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /a
  2⤵
  PID:2932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT" /grant Administrators:F
  2⤵
  PID:2608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /a
  2⤵
  - Modifies file permissions
  PID:2056
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP" /grant Administrators:F
  2⤵
  PID:2804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit" /a
  2⤵
  PID:628
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit" /grant Administrators:F
  2⤵
  PID:1652
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /a
  2⤵
  PID:1520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE" /grant Administrators:F
  2⤵
  PID:684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /a
  2⤵
  PID:1428
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US" /grant Administrators:F
  2⤵
  PID:2204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /a
  2⤵
  - Modifies file permissions
  PID:1124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES" /grant Administrators:F
  2⤵
  PID:2120
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /a
  2⤵
  PID:1604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR" /grant Administrators:F
  2⤵
  PID:2172
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /a
  2⤵
  PID:1080
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT" /grant Administrators:F
  2⤵
  PID:1960
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /a
  2⤵
  PID:1708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP" /grant Administrators:F
  2⤵
  PID:1792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VC" /a
  2⤵
  PID:2492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VC" /grant Administrators:F
  2⤵
  PID:2452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VGX" /a
  2⤵
  PID:1208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VGX" /grant Administrators:F
  2⤵
  PID:2388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO" /a
  2⤵
  PID:2852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO" /grant Administrators:F
  2⤵
  PID:1516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /a
  2⤵
  PID:864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0" /grant Administrators:F
  2⤵
  PID:2848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /a
  2⤵
  PID:3064
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe" /grant Administrators:F
  2⤵
  PID:2784
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /a
  2⤵
  PID:1032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033" /grant Administrators:F
  2⤵
  PID:1660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Services" /a
  2⤵
  PID:2716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Services" /grant Administrators:F
  2⤵
  PID:2936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines" /a
  2⤵
  PID:852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines" /grant Administrators:F
  2⤵
  PID:1608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft" /a
  2⤵
  PID:296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft" /grant Administrators:F
  2⤵
  PID:2772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /a
  2⤵
  PID:444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20" /grant Administrators:F
  2⤵
  PID:2124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /a
  2⤵
  - Modifies file permissions
  PID:2964
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE" /grant Administrators:F
  2⤵
  PID:2516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2180
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US" /grant Administrators:F
  2⤵
  PID:2796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /a
  2⤵
  PID:3020
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk" /grant Administrators:F
  2⤵
  PID:756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /a
  2⤵
  PID:1908
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES" /grant Administrators:F
  2⤵
  PID:628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /a
  2⤵
  PID:2156
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR" /grant Administrators:F
  2⤵
  PID:340
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /a
  2⤵
  PID:1964
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT" /grant Administrators:F
  2⤵
  PID:1684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /a
  2⤵
  PID:2032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System" /a
  2⤵
  PID:1048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System" /grant Administrators:F
  2⤵
  PID:1768
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado" /a
  2⤵
  PID:1256
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado" /grant Administrators:F
  2⤵
  PID:1076
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\de-DE" /a
  2⤵
  PID:2844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\de-DE" /grant Administrators:F
  2⤵
  PID:2760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\en-US" /a
  2⤵
  PID:2452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\en-US" /grant Administrators:F
  2⤵
  PID:2720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\es-ES" /a
  2⤵
  PID:3040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\es-ES" /grant Administrators:F
  2⤵
  PID:792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\fr-FR" /a
  2⤵
  PID:2528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\fr-FR" /grant Administrators:F
  2⤵
  PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\it-IT" /a
  2⤵
  PID:2840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\it-IT" /grant Administrators:F
  2⤵
  PID:1276
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\ja-JP" /a
  2⤵
  PID:228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\ja-JP" /grant Administrators:F
  2⤵
  PID:324
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\de-DE" /a
  2⤵
  PID:1992
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\de-DE" /grant Administrators:F
  2⤵
  PID:2632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\en-US" /a
  2⤵
  PID:1804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\en-US" /grant Administrators:F
  2⤵
  PID:3032
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\es-ES" /a
  2⤵
  PID:2312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\es-ES" /grant Administrators:F
  2⤵
  PID:2936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\fr-FR" /a
  2⤵
  PID:2400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\fr-FR" /grant Administrators:F
  2⤵
  PID:2092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\it-IT" /a
  2⤵
  PID:1188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\it-IT" /grant Administrators:F
  2⤵
  PID:332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ja-JP" /a
  2⤵
  PID:1636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ja-JP" /grant Administrators:F
  2⤵
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc" /a
  2⤵
  PID:852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc" /grant Administrators:F
  2⤵
  PID:2888
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\de-DE" /a
  2⤵
  PID:1988
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\de-DE" /grant Administrators:F
  2⤵
  PID:888
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\en-US" /a
  2⤵
  PID:1328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\en-US" /grant Administrators:F
  2⤵
  PID:2588
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\es-ES" /a
  2⤵
  PID:2932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\es-ES" /grant Administrators:F
  2⤵
  PID:536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\fr-FR" /a
  2⤵
  PID:1744
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\fr-FR" /grant Administrators:F
  2⤵
  PID:340
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\it-IT" /a
  2⤵
  PID:1272
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\it-IT" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\ja-JP" /a
  2⤵
  PID:2360
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\ja-JP" /grant Administrators:F
  2⤵
  PID:1600
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB" /a
  2⤵
  PID:1768
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB" /grant Administrators:F
  2⤵
  PID:2480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\de-DE" /a
  2⤵
  PID:2572
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\de-DE" /grant Administrators:F
  2⤵
  PID:1420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\en-US" /a
  2⤵
  PID:2844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\en-US" /grant Administrators:F
  2⤵
  PID:1080
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\es-ES" /a
  2⤵
  PID:2280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\es-ES" /grant Administrators:F
  2⤵
  PID:1208
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\fr-FR" /a
  2⤵
  PID:876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\fr-FR" /grant Administrators:F
  2⤵
  PID:2152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\it-IT" /a
  2⤵
  PID:2836
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\it-IT" /grant Administrators:F
  2⤵
  PID:2908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\ja-JP" /a
  2⤵
  PID:1276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\ja-JP" /grant Administrators:F
  2⤵
  PID:680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker" /a
  2⤵
  PID:1112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker" /grant Administrators:F
  2⤵
  PID:864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\DVDMaker.exe" /a
  2⤵
  PID:1992
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\DVDMaker.exe" /grant Administrators:F
  2⤵
  PID:2200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\de-DE" /a
  2⤵
  PID:2008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\de-DE" /grant Administrators:F
  2⤵
  PID:2876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\en-US" /a
  2⤵
  PID:2240
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\en-US" /grant Administrators:F
  2⤵
  PID:1924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\es-ES" /a
  2⤵
  PID:2400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\es-ES" /grant Administrators:F
  2⤵
  PID:2996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\fr-FR" /a
  2⤵
  PID:1608
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\fr-FR" /grant Administrators:F
  2⤵
  PID:2964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\it-IT" /a
  2⤵
  PID:1952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\it-IT" /grant Administrators:F
  2⤵
  PID:544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\ja-JP" /a
  2⤵
  PID:304
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\ja-JP" /grant Administrators:F
  2⤵
  PID:3000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared" /a
  2⤵
  PID:684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared" /grant Administrators:F
  2⤵
  PID:3020
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles" /a
  2⤵
  PID:1728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles" /grant Administrators:F
  2⤵
  PID:2308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /a
  2⤵
  PID:2932
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy" /grant Administrators:F
  2⤵
  PID:1524
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /a
  2⤵
  PID:2248
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl" /grant Administrators:F
  2⤵
  PID:1284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /a
  2⤵
  PID:2120
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage" /grant Administrators:F
  2⤵
  PID:1048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /a
  2⤵
  PID:1692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Full" /grant Administrators:F
  2⤵
  PID:2016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /a
  2⤵
  PID:2004
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle" /grant Administrators:F
  2⤵
  PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /a
  2⤵
  PID:1136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles" /grant Administrators:F
  2⤵
  PID:2856
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /a
  2⤵
  PID:2844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories" /grant Administrators:F
  2⤵
  PID:2644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge" /grant Administrators:F
  2⤵
  PID:2664
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /a
  2⤵
  PID:2152
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /a
  2⤵
  PID:728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets" /grant Administrators:F
  2⤵
  PID:2828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /a
  2⤵
  PID:2636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Push" /grant Administrators:F
  2⤵
  PID:228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles" /grant Administrators:F
  2⤵
  PID:1804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /a
  2⤵
  PID:2200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels" /grant Administrators:F
  2⤵
  PID:2000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /a
  2⤵
  PID:2728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter" /grant Administrators:F
  2⤵
  PID:2272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /a
  2⤵
  PID:332
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion" /grant Administrators:F
  2⤵
  PID:1924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /a
  2⤵
  PID:1032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports" /grant Administrators:F
  2⤵
  PID:2400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /a
  2⤵
  PID:2868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking" /grant Administrators:F
  2⤵
  PID:1072
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /a
  2⤵
  PID:292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel" /grant Administrators:F
  2⤵
  PID:2680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /a
  2⤵
  PID:544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall" /grant Administrators:F
  2⤵
  PID:936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /a
  2⤵
  PID:684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette" /grant Administrators:F
  2⤵
  PID:1428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google" /a
  2⤵
  PID:2972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google" /grant Administrators:F
  2⤵
  PID:1616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome" /a
  2⤵
  PID:1816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome" /grant Administrators:F
  2⤵
  PID:1764
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application" /a
  2⤵
  PID:2592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\chrome.exe" /a
  2⤵
  PID:1124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" /grant Administrators:F
  2⤵
  PID:1340
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /a
  2⤵
  PID:2396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119" /grant Administrators:F
  2⤵
  PID:2944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /a
  2⤵
  PID:2148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe" /grant Administrators:F
  2⤵
  PID:1708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /a
  2⤵
  PID:2908
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps" /grant Administrators:F
  2⤵
  PID:216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /a
  2⤵
  PID:680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions" /grant Administrators:F
  2⤵
  PID:2080
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /a
  2⤵
  PID:2276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer" /grant Administrators:F
  2⤵
  PID:2712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /a
  2⤵
  PID:2532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /a
  2⤵
  PID:2168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales" /grant Administrators:F
  2⤵
  PID:2748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /a
  2⤵
  PID:2580
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload" /grant Administrators:F
  2⤵
  PID:2012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /a
  2⤵
  PID:2956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements" /grant Administrators:F
  2⤵
  PID:3052
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /a
  2⤵
  PID:2144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm" /grant Administrators:F
  2⤵
  PID:1988
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /a
  2⤵
  PID:1672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific" /grant Administrators:F
  2⤵
  PID:2868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /a
  2⤵
  PID:1112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64" /grant Administrators:F
  2⤵
  PID:2996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\SetupMetrics" /a
  2⤵
  PID:2516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\SetupMetrics" /grant Administrators:F
  2⤵
  PID:2608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer" /a
  2⤵
  PID:2804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer" /grant Administrators:F
  2⤵
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\iediagcmd.exe" /a
  2⤵
  PID:2308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\iediagcmd.exe" /grant Administrators:F
  2⤵
  PID:280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\de-DE" /a
  2⤵
  PID:2592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\de-DE" /grant Administrators:F
  2⤵
  PID:688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\en-US" /a
  2⤵
  PID:2824
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\en-US" /grant Administrators:F
  2⤵
  PID:1124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\es-ES" /a
  2⤵
  PID:2248
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\es-ES" /grant Administrators:F
  2⤵
  PID:1296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\fr-FR" /a
  2⤵
  PID:1792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\fr-FR" /grant Administrators:F
  2⤵
  PID:2944
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\images" /a
  2⤵
  PID:1436
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\images" /grant Administrators:F
  2⤵
  PID:2452
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\it-IT" /a
  2⤵
  PID:2852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\it-IT" /grant Administrators:F
  2⤵
  PID:2136
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ja-JP" /a
  2⤵
  PID:2668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ja-JP" /grant Administrators:F
  2⤵
  PID:2736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\SIGNUP" /a
  2⤵
  PID:780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\SIGNUP" /grant Administrators:F
  2⤵
  PID:2036
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java" /a
  2⤵
  PID:2652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java" /grant Administrators:F
  2⤵
  PID:2276
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80" /a
  2⤵
  PID:324
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80" /grant Administrators:F
  2⤵
  PID:228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin" /a
  2⤵
  PID:2532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin" /grant Administrators:F
  2⤵
  PID:1804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /a
  2⤵
  PID:2692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe" /grant Administrators:F
  2⤵
  PID:2816
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db" /a
  2⤵
  PID:2808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db" /grant Administrators:F
  2⤵
  PID:2580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\bin" /a
  2⤵
  PID:1188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\bin" /grant Administrators:F
  2⤵
  PID:1812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\db\lib" /a
  2⤵
  PID:2260
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\db\lib" /grant Administrators:F
  2⤵
  PID:1752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include" /a
  2⤵
  PID:940
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1072
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32" /a
  2⤵
  PID:2788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32" /grant Administrators:F
  2⤵
  PID:1596
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /a
  2⤵
  PID:1728
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge" /grant Administrators:F
  2⤵
  PID:2608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre" /a
  2⤵
  PID:340
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre" /grant Administrators:F
  2⤵
  PID:2932
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /a
  2⤵
  PID:1748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin" /grant Administrators:F
  2⤵
  PID:1600
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /a
  2⤵
  PID:2972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:2496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /a
  2⤵
  PID:3028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin" /grant Administrators:F
  2⤵
  PID:1048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /a
  2⤵
  PID:1500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2" /grant Administrators:F
  2⤵
  PID:1420
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /a
  2⤵
  PID:2280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server" /grant Administrators:F
  2⤵
  PID:1960
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /a
  2⤵
  PID:448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib" /grant Administrators:F
  2⤵
  PID:2076
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /a
  2⤵
  PID:232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe" /grant Administrators:F
  2⤵
  PID:1276
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /a
  2⤵
  PID:1124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64" /grant Administrators:F
  2⤵
  PID:556
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /a
  2⤵
  PID:2228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet" /grant Administrators:F
  2⤵
  PID:2152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /a
  2⤵
  PID:2880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm" /grant Administrators:F
  2⤵
  PID:2664
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /a
  2⤵
  PID:224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy" /grant Administrators:F
  2⤵
  PID:2924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /a
  2⤵
  PID:2716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext" /grant Administrators:F
  2⤵
  PID:1008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /a
  2⤵
  PID:380
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts" /grant Administrators:F
  2⤵
  PID:2936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /a
  2⤵
  PID:2748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images" /grant Administrators:F
  2⤵
  PID:2012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /a
  2⤵
  PID:1348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:1280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /a
  2⤵
  PID:292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr" /grant Administrators:F
  2⤵
  PID:3060
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /a
  2⤵
  PID:1544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management" /grant Administrators:F
  2⤵
  PID:2968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /a
  2⤵
  - Modifies file permissions
  PID:2788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security" /grant Administrators:F
  2⤵
  PID:796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /a
  2⤵
  PID:768
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi" /grant Administrators:F
  2⤵
  PID:2056
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /a
  2⤵
  - Modifies file permissions
  PID:1636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa" /grant Administrators:F
  2⤵
  PID:408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /a
  2⤵
  PID:1632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America" /grant Administrators:F
  2⤵
  PID:1956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /a
  2⤵
  - Modifies file permissions
  PID:340
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina" /grant Administrators:F
  2⤵
  PID:2552
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /a
  2⤵
  PID:2592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana" /grant Administrators:F
  2⤵
  PID:1912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /a
  2⤵
  PID:2188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky" /grant Administrators:F
  2⤵
  PID:2164
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /a
  2⤵
  PID:1136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota" /grant Administrators:F
  2⤵
  PID:2148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /a
  2⤵
  PID:2160
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica" /grant Administrators:F
  2⤵
  PID:2280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /a
  2⤵
  PID:2972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia" /grant Administrators:F
  2⤵
  PID:1864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /a
  2⤵
  PID:2908
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic" /grant Administrators:F
  2⤵
  PID:2736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /a
  2⤵
  PID:2004
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia" /grant Administrators:F
  2⤵
  PID:1276
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /a
  2⤵
  PID:2300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc" /grant Administrators:F
  2⤵
  PID:2356
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /a
  2⤵
  PID:2652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe" /grant Administrators:F
  2⤵
  PID:2636
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /a
  2⤵
  PID:3064
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian" /grant Administrators:F
  2⤵
  PID:2848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /a
  2⤵
  - Modifies file permissions
  PID:2372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific" /grant Administrators:F
  2⤵
  PID:904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /a
  2⤵
  PID:1540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV" /grant Administrators:F
  2⤵
  PID:2672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib" /a
  2⤵
  PID:1440
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib" /grant Administrators:F
  2⤵
  PID:576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /a
  2⤵
  PID:2312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol" /grant Administrators:F
  2⤵
  PID:1008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /a
  2⤵
  PID:1476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration" /grant Administrators:F
  2⤵
  PID:2732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /a
  2⤵
  PID:544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator" /grant Administrators:F
  2⤵
  PID:936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /a
  2⤵
  PID:852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update" /grant Administrators:F
  2⤵
  PID:2332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /a
  2⤵
  - Modifies file permissions
  PID:1520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins" /grant Administrators:F
  2⤵
  PID:2308
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /a
  2⤵
  PID:1272
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features" /grant Administrators:F
  2⤵
  PID:2208
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /a
  2⤵
  PID:2096
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /a
  2⤵
  PID:1544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:1924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /a
  2⤵
  PID:2292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2460
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /a
  2⤵
  PID:2720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /a
  2⤵
  PID:1208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /a
  2⤵
  PID:2496
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:3028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /a
  2⤵
  PID:2856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:1296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /a
  2⤵
  PID:2704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002" /grant Administrators:F
  2⤵
  PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /a
  2⤵
  PID:2408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002" /grant Administrators:F
  2⤵
  PID:844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033" /grant Administrators:F
  2⤵
  PID:728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /a
  2⤵
  PID:2916
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF" /grant Administrators:F
  2⤵
  PID:2432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /a
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2848
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:1820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /a
  2⤵
  PID:2632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:1140
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  PID:2044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:3068
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  PID:1540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /a
  2⤵
  PID:2012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:380
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /a
  2⤵
  PID:1640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:1008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /a
  2⤵
  PID:1188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444" /grant Administrators:F
  2⤵
  PID:940
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /a
  2⤵
  PID:2504
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  PID:972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:852
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  PID:1748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  PID:280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /a
  2⤵
  PID:2480
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444" /grant Administrators:F
  2⤵
  PID:408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /a
  2⤵
  PID:536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /a
  2⤵
  PID:1240
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043" /grant Administrators:F
  2⤵
  PID:1544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF" /grant Administrators:F
  2⤵
  PID:2948
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /a
  2⤵
  PID:208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043" /grant Administrators:F
  2⤵
  PID:2448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /a
  2⤵
  PID:2800
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF" /grant Administrators:F
  2⤵
  PID:2836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /a
  2⤵
  PID:200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /a
  2⤵
  PID:2148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF" /grant Administrators:F
  2⤵
  PID:1864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /a
  2⤵
  PID:2528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116" /grant Administrators:F
  2⤵
  PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /a
  2⤵
  PID:3040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF" /grant Administrators:F
  2⤵
  PID:316
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /a
  2⤵
  PID:2916
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301" /grant Administrators:F
  2⤵
  PID:2320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /a
  2⤵
  PID:2620
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF" /grant Administrators:F
  2⤵
  PID:232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /a
  2⤵
  PID:2876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301" /grant Administrators:F
  2⤵
  PID:2956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /a
  2⤵
  PID:888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF" /grant Administrators:F
  2⤵
  PID:2728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /a
  2⤵
  PID:2400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2" /grant Administrators:F
  2⤵
  PID:2244
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /a
  2⤵
  PID:2900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core" /grant Administrators:F
  2⤵
  PID:2144
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /a
  2⤵
  PID:2012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache" /grant Administrators:F
  2⤵
  PID:2936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /a
  2⤵
  - Possible privilege escalation attempt
  PID:936
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary" /grant Administrators:F
  2⤵
  PID:1328
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /a
  2⤵
  PID:1652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine" /grant Administrators:F
  2⤵
  PID:2608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /a
  2⤵
  - Modifies file permissions
  PID:2928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings" /grant Administrators:F
  2⤵
  PID:1964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /a
  2⤵
  PID:340
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry" /grant Administrators:F
  2⤵
  PID:1600
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /a
  2⤵
  PID:1684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile" /grant Administrators:F
  2⤵
  PID:1264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /a
  2⤵
  PID:604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data" /grant Administrators:F
  2⤵
  PID:1316
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /a
  2⤵
  PID:536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins" /grant Administrators:F
  2⤵
  PID:2344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /a
  2⤵
  PID:2752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /a
  2⤵
  PID:2844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html" /grant Administrators:F
  2⤵
  PID:752
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon" /a
  2⤵
  PID:3028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon" /grant Administrators:F
  2⤵
  PID:1388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css" /a
  2⤵
  PID:2972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css" /grant Administrators:F
  2⤵
  PID:556
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs" /a
  2⤵
  PID:1124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs" /grant Administrators:F
  2⤵
  PID:2152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html" /a
  2⤵
  PID:1980
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html" /grant Administrators:F
  2⤵
  PID:2160
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons" /a
  2⤵
  PID:200
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons" /grant Administrators:F
  2⤵
  PID:1692
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF" /a
  2⤵
  PID:2652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF" /grant Administrators:F
  2⤵
  PID:1820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303" /a
  2⤵
  PID:1052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303" /grant Administrators:F
  2⤵
  PID:2300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons" /a
  2⤵
  PID:904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons" /grant Administrators:F
  2⤵
  PID:2904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib" /a
  2⤵
  PID:2232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib" /grant Administrators:F
  2⤵
  PID:3032
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF" /a
  2⤵
  PID:1828
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF" /grant Administrators:F
  2⤵
  PID:2400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema" /a
  2⤵
  PID:1148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033" /a
  2⤵
  PID:2808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033" /grant Administrators:F
  2⤵
  PID:2816
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF" /a
  2⤵
  PID:1328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF" /grant Administrators:F
  2⤵
  PID:1520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717" /a
  2⤵
  PID:2156
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717" /grant Administrators:F
  2⤵
  PID:1272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css" /a
  2⤵
  PID:2552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css" /grant Administrators:F
  2⤵
  PID:796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark" /a
  2⤵
  PID:1924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2104
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images" /a
  2⤵
  PID:1816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images" /grant Administrators:F
  2⤵
  PID:1708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF" /a
  2⤵
  PID:280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF" /grant Administrators:F
  2⤵
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm" /a
  2⤵
  PID:2188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1252
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc" /a
  2⤵
  PID:2756
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc" /grant Administrators:F
  2⤵
  PID:2592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform" /a
  2⤵
  PID:2496
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform" /grant Administrators:F
  2⤵
  PID:2776
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config" /a
  2⤵
  PID:2844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config" /grant Administrators:F
  2⤵
  PID:1516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps" /a
  2⤵
  PID:780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps" /grant Administrators:F
  2⤵
  PID:1296
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules" /a
  2⤵
  PID:680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules" /grant Administrators:F
  2⤵
  PID:2432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core" /a
  2⤵
  PID:2152
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core" /grant Administrators:F
  2⤵
  PID:792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale" /a
  2⤵
  PID:2916
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale" /grant Administrators:F
  2⤵
  PID:3064
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib" /a
  2⤵
  PID:2008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib" /grant Administrators:F
  2⤵
  PID:1820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe" /a
  2⤵
  PID:3052
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe" /grant Administrators:F
  2⤵
  PID:584
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale" /a
  2⤵
  PID:2888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale" /grant Administrators:F
  2⤵
  PID:2664
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules" /a
  2⤵
  PID:1660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules" /grant Administrators:F
  2⤵
  PID:1828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext" /a
  2⤵
  PID:2900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext" /grant Administrators:F
  2⤵
  PID:2324
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale" /a
  2⤵
  PID:2124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale" /grant Administrators:F
  2⤵
  PID:2516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale" /a
  2⤵
  PID:276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale" /grant Administrators:F
  2⤵
  PID:1332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking" /a
  2⤵
  PID:2536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking" /grant Administrators:F
  2⤵
  PID:1956
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler" /a
  2⤵
  PID:1524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config" /a
  2⤵
  - Modifies file permissions
  PID:2460
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config" /grant Administrators:F
  2⤵
  PID:1964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules" /a
  2⤵
  PID:2360
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib" /a
  2⤵
  PID:2928
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib" /grant Administrators:F
  2⤵
  PID:1616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed" /a
  2⤵
  PID:2344
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed" /grant Administrators:F
  2⤵
  PID:2056
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15" /a
  2⤵
  PID:208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15" /grant Administrators:F
  2⤵
  PID:1252
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64" /a
  2⤵
  PID:1604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64" /grant Administrators:F
  2⤵
  PID:2280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16" /a
  2⤵
  PID:752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16" /grant Administrators:F
  2⤵
  PID:2408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64" /a
  2⤵
  PID:1516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64" /grant Administrators:F
  2⤵
  PID:2136
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale" /a
  2⤵
  PID:2780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale" /grant Administrators:F
  2⤵
  PID:2228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules" /a
  2⤵
  PID:2148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale" /a
  2⤵
  PID:2080
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale" /grant Administrators:F
  2⤵
  PID:2916
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking" /a
  2⤵
  PID:1864
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking" /grant Administrators:F
  2⤵
  PID:2848
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm" /a
  2⤵
  PID:2008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm" /grant Administrators:F
  2⤵
  PID:320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config" /a
  2⤵
  PID:2300
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config" /grant Administrators:F
  2⤵
  PID:2632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2876
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules" /grant Administrators:F
  2⤵
  PID:2728
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core" /a
  2⤵
  PID:1140
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core" /grant Administrators:F
  2⤵
  PID:2324
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale" /a
  2⤵
  PID:1852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale" /grant Administrators:F
  2⤵
  PID:2000
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules" /a
  2⤵
  PID:1188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules" /grant Administrators:F
  2⤵
  PID:2580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale" /a
  2⤵
  PID:1652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale" /grant Administrators:F
  2⤵
  PID:2208
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking" /a
  2⤵
  PID:328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking" /grant Administrators:F
  2⤵
  PID:2292
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7" /a
  2⤵
  PID:1284
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7" /grant Administrators:F
  2⤵
  PID:3048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin" /a
  2⤵
  PID:1856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin" /grant Administrators:F
  2⤵
  PID:1040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\jabswitch.exe" /a
  2⤵
  PID:2604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:2480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\dtplugin" /a
  2⤵
  PID:1816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\dtplugin" /grant Administrators:F
  2⤵
  PID:1908
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\plugin2" /a
  2⤵
  PID:1960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\plugin2" /grant Administrators:F
  2⤵
  PID:1544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\bin\server" /a
  2⤵
  PID:2736
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\bin\server" /grant Administrators:F
  2⤵
  PID:2280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib" /a
  2⤵
  PID:2168
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib" /grant Administrators:F
  2⤵
  PID:2776
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\amd64" /a
  2⤵
  PID:2496
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\amd64" /grant Administrators:F
  2⤵
  PID:876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\applet" /a
  2⤵
  PID:216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\applet" /grant Administrators:F
  2⤵
  PID:2836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\cmm" /a
  2⤵
  PID:1044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\cmm" /grant Administrators:F
  2⤵
  PID:200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\deploy" /a
  2⤵
  PID:1276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\deploy" /grant Administrators:F
  2⤵
  PID:1480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\ext" /a
  2⤵
  PID:232
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\ext" /grant Administrators:F
  2⤵
  PID:2916
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\fonts" /a
  2⤵
  PID:1124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\fonts" /grant Administrators:F
  2⤵
  PID:2372
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\images" /a
  2⤵
  PID:1820
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\images" /grant Administrators:F
  2⤵
  PID:2924
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\images\cursors" /a
  2⤵
  PID:888
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:2732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\jfr" /a
  2⤵
  PID:1660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\jfr" /grant Administrators:F
  2⤵
  PID:2632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\management" /a
  2⤵
  PID:2084
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\management" /grant Administrators:F
  2⤵
  PID:940
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\security" /a
  2⤵
  PID:2124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\security" /grant Administrators:F
  2⤵
  PID:2268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi" /a
  2⤵
  PID:2796
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi" /grant Administrators:F
  2⤵
  PID:2288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Africa" /a
  2⤵
  - Modifies file permissions
  PID:2308
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Africa" /grant Administrators:F
  2⤵
  PID:688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America" /a
  2⤵
  PID:1032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America" /grant Administrators:F
  2⤵
  PID:1264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Argentina" /a
  2⤵
  PID:2032
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Argentina" /grant Administrators:F
  2⤵
  PID:3048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Indiana" /a
  2⤵
  PID:1600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Indiana" /grant Administrators:F
  2⤵
  PID:1768
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\Kentucky" /a
  2⤵
  PID:852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\Kentucky" /grant Administrators:F
  2⤵
  PID:2096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota" /a
  2⤵
  PID:2604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota" /grant Administrators:F
  2⤵
  PID:2756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Antarctica" /a
  2⤵
  PID:2452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Antarctica" /grant Administrators:F
  2⤵
  PID:2396
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Asia" /a
  2⤵
  PID:2448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Asia" /grant Administrators:F
  2⤵
  PID:1792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Atlantic" /a
  2⤵
  PID:2776
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Atlantic" /grant Administrators:F
  2⤵
  PID:1080
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Australia" /a
  2⤵
  PID:2408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Australia" /grant Administrators:F
  2⤵
  PID:2712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Etc" /a
  2⤵
  PID:976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Etc" /grant Administrators:F
  2⤵
  PID:2076
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Europe" /a
  2⤵
  PID:2508
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Europe" /grant Administrators:F
  2⤵
  PID:2152
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Indian" /a
  2⤵
  PID:2540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Indian" /grant Administrators:F
  2⤵
  PID:680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\Pacific" /a
  2⤵
  - Possible privilege escalation attempt
  PID:204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\Pacific" /grant Administrators:F
  2⤵
  PID:2708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre7\lib\zi\SystemV" /a
  2⤵
  PID:2372
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre7\lib\zi\SystemV" /grant Administrators:F
  2⤵
  PID:3040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games" /a
  2⤵
  PID:2244
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games" /grant Administrators:F
  2⤵
  PID:2144
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess" /a
  2⤵
  PID:2924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess" /grant Administrators:F
  2⤵
  PID:1828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\Chess.exe" /a
  2⤵
  PID:1660
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\Chess.exe" /grant Administrators:F
  2⤵
  PID:544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\de-DE" /a
  2⤵
  PID:1348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\de-DE" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\en-US" /a
  2⤵
  PID:3004
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\en-US" /grant Administrators:F
  2⤵
  PID:2536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\es-ES" /a
  2⤵
  PID:2444
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\es-ES" /grant Administrators:F
  2⤵
  PID:1684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\fr-FR" /a
  2⤵
  PID:1924
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\fr-FR" /grant Administrators:F
  2⤵
  PID:1040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\it-IT" /a
  2⤵
  - Possible privilege escalation attempt
  PID:628
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\it-IT" /grant Administrators:F
  2⤵
  PID:2504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Chess\ja-JP" /a
  2⤵
  PID:2572
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Chess\ja-JP" /grant Administrators:F
  2⤵
  PID:1912
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell" /a
  2⤵
  PID:1892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe" /a
  2⤵
  PID:2944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe" /grant Administrators:F
  2⤵
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\de-DE" /a
  2⤵
  PID:2452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\de-DE" /grant Administrators:F
  2⤵
  PID:2756
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\en-US" /a
  2⤵
  PID:2524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\en-US" /grant Administrators:F
  2⤵
  PID:2668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\es-ES" /a
  2⤵
  PID:2276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\es-ES" /grant Administrators:F
  2⤵
  PID:1044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\fr-FR" /a
  2⤵
  PID:2320
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\fr-FR" /grant Administrators:F
  2⤵
  PID:1864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\it-IT" /a
  2⤵
  PID:2540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\it-IT" /grant Administrators:F
  2⤵
  PID:2636
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\FreeCell\ja-JP" /a
  2⤵
  PID:2240
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\FreeCell\ja-JP" /grant Administrators:F
  2⤵
  PID:2704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts" /a
  2⤵
  PID:292
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts" /grant Administrators:F
  2⤵
  PID:1148
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\Hearts.exe" /a
  2⤵
  PID:2900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\Hearts.exe" /grant Administrators:F
  2⤵
  PID:1828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\de-DE" /a
  2⤵
  PID:2316
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\de-DE" /grant Administrators:F
  2⤵
  PID:2232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\en-US" /a
  2⤵
  PID:1188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\en-US" /grant Administrators:F
  2⤵
  PID:1548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\es-ES" /a
  2⤵
  PID:2268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\es-ES" /grant Administrators:F
  2⤵
  PID:2628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\fr-FR" /a
  2⤵
  PID:1520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\fr-FR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\it-IT" /a
  2⤵
  PID:1264
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\it-IT" /grant Administrators:F
  2⤵
  PID:2948
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Hearts\ja-JP" /a
  2⤵
  PID:1684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Hearts\ja-JP" /grant Administrators:F
  2⤵
  PID:2564
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong" /a
  2⤵
  PID:1812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong" /grant Administrators:F
  2⤵
  PID:2928
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe" /a
  2⤵
  PID:2188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe" /grant Administrators:F
  2⤵
  PID:220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\de-DE" /a
  2⤵
  PID:2944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\de-DE" /grant Administrators:F
  2⤵
  PID:228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\en-US" /a
  2⤵
  PID:2496
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\en-US" /grant Administrators:F
  2⤵
  PID:1792
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\es-ES" /a
  2⤵
  PID:2760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\es-ES" /grant Administrators:F
  2⤵
  PID:1388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\fr-FR" /a
  2⤵
  PID:2836
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\fr-FR" /grant Administrators:F
  2⤵
  PID:2828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\it-IT" /a
  2⤵
  PID:792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\it-IT" /grant Administrators:F
  2⤵
  PID:2840
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Mahjong\ja-JP" /a
  2⤵
  PID:2528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Mahjong\ja-JP" /grant Administrators:F
  2⤵
  PID:2812
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Minesweeper" /a
  2⤵
  PID:904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Games\Minesweeper" /grant Administrators:F
  2⤵
  PID:2716
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe" /a
  2⤵
  PID:2276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1020264431-198682286097509859611474364817466078312571576215688922891611071169"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2060244308-1447198888-134714123615032972713662249921177871786343029958-272766395"
1⤵
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1129219470-9427678277711365071491556729-264406895679422775-391994508986534737"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "79378034476773978915047519754405769711822335282-1840278576-511226265-1007893571"
1⤵
PID:1076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10742083261712360046-1996917397-135557222715933442461476214018348966727701553605"
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2030828690-2119576907-1969666075-1590690699-1267763765288778863-5016479532133333700"
1⤵
PID:324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11589051691543141266-886895634-1170798775310551164-17652724461146813928-1558253166"
1⤵
PID:864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1334023202-1946927715-132825061-330222822-1145900093-11737144775732460881309254665"
1⤵
PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2073278314-306771840-1674930658-1954377887-1889936495-1597384821440381622-1822862205"
1⤵
PID:3000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-269208124-13277611551064250523-16782854691074138972-139634626-1385530637120118664"
1⤵
PID:340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "141190602213024800301738831633-77484261718940227311473239422-1656747725-1565996298"
1⤵
PID:536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1129342306-364274288-721160332-119057053010772022081724550303-1973210509-874582534"
1⤵
PID:2828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "120637205021376097391240606925-875401499-2125245227469909456-1038919938-777189665"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-129070772711392266231428780591-1985757134-1875464387589945531335499161468024279"
1⤵
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19375190611709602918102609817-188560758113100777758026902351652312215-1589601787"
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-211082842111080909562001282770-9908150621114655601905997645735422472448312137"
1⤵
PID:1208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1631045300-1030274754-800227407-281516853-1481416792-207545719-187816311339730194"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1213105895-2319202655235103041660934847-56106329111484658201398821699-1758990037"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "850989745-1345979171972872754-358965890-947093450-218145216-913688393-622082430"
1⤵
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-380234281-119288691-50666999520147115341764993511-206874831986187627-2094857169"
1⤵
PID:2276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1142749509-1007316584397510700128860671-506160005-166597021-988135943520351562"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2139283158123048859691886364-525397691-2717451201303305615756993128-118192331"
1⤵
PID:1032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10655809011025358551-1008891934-20113462751768226682448337947-9571651931889417432"
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-124292481750213148-1036576954-151427800235903674811072387942099683917347879311"
1⤵
PID:1048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1827023889-1632978856-741904852-1718608318-1158339514-1030706322-2008612203-173345587"
1⤵
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "828486554187392005890393507-7754536327587961313318869637346792751160644911"
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-118633065919950048851549817547-280575928-21225411418684718422063394719-1404200056"
1⤵
PID:684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-985222268-1560667851-90472478941177295321437794-52421303-562519961-1166900435"
1⤵
PID:2396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2073627362-521312624-1461275090-1537821249-1178422099979577318-1132927109-395636685"
1⤵
PID:216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-126688543015374959312276543731131481925-1813983866-14638265251570894811-652558750"
1⤵
PID:1804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-94440802321019189671359302490-1092486004908115672-1419942096760413381348668174"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-296531495496293270-1865211953-1415769390471328778-2145710458-1698694652-246602647"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8698157742083816030-11845083061250544337-1036463190-121530435616451480391209341386"
1⤵
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2136620645-18968693829200321441806849615-9217238376850891632113119695369464940"
1⤵
PID:292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "540640473-187246296115612654961954423641-442714348-60010818-196678272766513937"
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18961882799153670784091919051852233701880066938-19810220317376852081320657121"
1⤵
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1984363085-1133672187-7550193235539464621181332551166319989-646783062-545035286"
1⤵
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1115971225-766603585-1170261777-17474344081235765900803652639-8517294071257654520"
1⤵
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1654219341-1616431279-146935570-6244586831628481163-660127328-279511163-1019081646"
1⤵
PID:780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "58522405577602317133675430-1404328109-3877967541488757584-1120592196-2146202315"
1⤵
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8421884071494499206288234657-7007698801365877761333040293-316283963-568269561"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1146310997677289645-466853650-1311410719-1996016723-644945894-1605897664714866806"
1⤵
PID:1436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "451996285-1556623029-20944338966876462651225088670-589366722-19376947741699347792"
1⤵
PID:1008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "602613472-1179949672-1783170507812033504-60311356275806867-2992339901297977378"
1⤵
PID:2808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "770141673200753350451443873-435075844128676763298448583-10652581031301417040"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-41850514766027698-1718047764-768399831-1918437502-252493950-2118343111313973739"
1⤵
PID:280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3280655121687568609-407363838927584165-1899523413-52445826-1287129362488886426"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1966270048859263619-4248424181026325175-363126204760147315-15916409771796057363"
1⤵
PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-128212118-616031365-381125382-429606285-1957709808-1905557778-1084449073-545449332"
1⤵
PID:1296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1418465020-28640051119281629861241967526933051623-444603271-275906719440382104"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1161493952-920837354-406307463-21002958762012516992673627361-9829609461896340793"
1⤵
PID:324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-731069341997826811-727506599-570600486-17209852529256268283051138371288518572"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18437775801562767320-2521954821550421949-141709312877442835-781410041-930357036"
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "947330339-856295190-13466266651661794050-102863608111620662422072708326-1614644304"
1⤵
PID:1804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1807161274-16913917091599502581754529306332960532967845418729430102-1222179088"
1⤵
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-48161652621206748591959183773-7040350211828805889590293522656425387-840959283"
1⤵
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7389434131405901414929519824-6547286221699052437-1885690606-90231041373622665"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17890814251831036924469859260-610206940-116064705651007981113584350831423506569"
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.exe

Filesize
1.8MB

MD5
a4e3ea70ddb99186cd285d84f27d2a22

SHA1
f17165fe8274a0c5392a1d3b8320d5b0bd48b0ac

SHA256
68116dab3db1fc61379b5fd3970f815438c7f96a90e8c32a21942872ec2268a0

SHA512
d7853490db379f1e46cc7ea160698ca1f60bef5537fa2d1e65310135970336039b15df0a3ce892a84fa569334ad746db0b8a97303b696cddd59681238aee6460

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
4608aa39a35e01dcf0c4477a36d81ff8

SHA1
965b74f47ab88e061cf11e0ad870a19260196355

SHA256
3a0f6002eea209a61720f1ab3b277b002f08ea2edab8ef9fb2a9e8aaf9bdc480

SHA512
b4bb101e1254dae818997ee7cda6cf086bce214249cd5e88a09ef161e507b9ecbedea553be683ee400075619c4937bada6d0df60f04f6831c3e5cb0b3bb8587c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RCXA862.tmp

Filesize
360KB

MD5
218e18002822b9a3f9fbb5b609f24a03

SHA1
b50a0f3a9d2faf51278081a35f131035ad3860b6

SHA256
e33aecf0678644129fd44a7711a50ca3e648bd92d2a2d9559145f2d3207e5f4e

SHA512
e619f4a104def71c06e52a2a0b8a23dfddafec3cf7d7205217c38fc3a1d474aa8f7e0dc398d6b9b19a6eb272a092d3ae164e4fe763630994b90425ff6fa5480d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
252fc4f2b841258f9aa9e264f75e63b6

SHA1
ad4aa9148c9bbdcc410b001afc41d48164375c66

SHA256
b475c5310847808ff3ea3bd88bdcef0428dc4cbe08a395264f980b36df056bcb

SHA512
c7b1959c05589f0c21bacf67cbcaf6fcf1196cd93100dbbba1c92c2090331252db04f6f0f4d2da439174a17f8f4712f82c5ad9d77564e386cd600ae131fc17d3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\msvcp120ex.dll

Filesize
8.0MB

MD5
fad38087fe1a97999263e36b6a8d2c67

SHA1
c5adb47c781d7d8c2ca33d3d62b5e5db6a96eb8b

SHA256
7d352de779100bc15c52326b54dd7c67c55a120294e0fb21f1e52c90448dda5e

SHA512
4016cad19c726382936c2f5661552eb59703fa500b4b7bca004e762dd2c763a674375f1eee76b6d62e305ae50db5af6b9c0cace4f005c2b9e44733373ab6f82c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
136226073a4ec8cc5b987f7dc385aa6c

SHA1
f15f0ea3bf9bc327825c65c768b14d98fa06838e

SHA256
d3c74a23b3117b8dcaf591cbf21bc41e9d1c3461183c79adc36ab81b888d9cf2

SHA512
5a7160a41ab2d3addedb9290a1c43dd115488c907822b383d3b08fc09fd07f427bf171a48ce6b78d72251a183d0591318bc24f8adcc7ab78643650fbc2f81dad

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
f4bfa8248559fb2723a9cc1ea41fcd59

SHA1
a0da0e1ee0d89a4d8840b99df91d99d7272d3ae4

SHA256
2382f0f37600ff99fc7a49c03a95e05d375ce30c9a381cc1e1c099f4a3848f3d

SHA512
9b9faff53a1fa0df145b68eac31835b843b1aaf8319117c24eb769139cbef98d324c51e9ec3ab9ec5a030d99c84489b3930a54c70c3914a40792358550e65bd0

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\msvcp120ex.dll

Filesize
8.0MB

MD5
ba40b57847d2054d6feb48f681e77e81

SHA1
9167e56eda8c8889f699e0786e5b3d04965790e6

SHA256
da348b9515a2cd3952ab551b99bb10100ace0a1747c9712908071cc56427cf25

SHA512
a5763b9caef5fc051a2f5ca8ed5febae3741a3ac47bb94238f722c2a90758ee3dfa4bc9b86be984493a7660eb6198ab326fb04a5ff56b397ce1bd94feb5734f8

Download Submit
C:\Program Files (x86)\Google\Update\RCXB26A.tmp

Filesize
60KB

MD5
422d954e544f8023c83b70ad479bb093

SHA1
a73a997477c45fd9f7bea39bcffaf997a282276b

SHA256
3d3b5eba79d784945866d18b04827c61ba5268a4e6cce1776e4c3d4140e1d67a

SHA512
cd3f8056b71f63c84f3b0a9e68a5af36444fff30307797af5bebe9f934c0bee63407d87f75d97ac214e372d7aac993b948d4174bb8da49366dae80f68943e6ba

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\msvcp120ex.dll

Filesize
8.0MB

MD5
da573956332359eab268e138ec551dd0

SHA1
28a0d411256b71748e698c64756d6c69a3fd83fb

SHA256
3f343d0cb5322fa012e87ad20afec309d3e10040d1234a27f41f19468f3aeb65

SHA512
648ec41b1c69401dc8f34cb88e2013c1a826e1700c670a01f0196a4f5162b7d5705b831e1368c3793e11058171bef446584deb778c4db87f21c5f4c669ebb4db

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\msvcp120ex.dll

Filesize
8.0MB

MD5
185d41f11da719a9ae05c7d66c488c1b

SHA1
6fab72d2af4b7b00bbd769b0b56c644b7afc9aec

SHA256
45e3bf8afdada24f4981887cfe5600bc2e6ba465294c82831a5a1c21eb719d07

SHA512
3202494e6c306fc5c35a1c84cfa5a058d141f0bc3cdcf0adf475fef9126c353a6dbf49b855128b8b461697ccdd2b0641ef24886f3977391a4231139ff1de1c33

Download Submit
C:\Program Files\DVD Maker\185779611

Filesize
2.3MB

MD5
3709e38da835925d599aaff6bc1bed8c

SHA1
290ff284eae93cd3938b742ef7f02fc4aaf54ff0

SHA256
d1bb56f383bb44eb830236d42bcb3a5ade8745ff2834f0351de4d824384ee957

SHA512
218e38eaa881b340666a72655e59dc9b782fe382dcf3a375983ff2c1ffb67880a095936f84b8e00c37f12343a5d702dfe028c8ab91de1a78c4ed7c4c567f77e7

Download Submit
C:\Program Files\Microsoft Games\Chess\538010884

Filesize
3.2MB

MD5
6f6cb66e60316d58d6e7b1c14bb98766

SHA1
145ceb75c961b9c065fc97de4d60836b17e1f9b8

SHA256
49f54f2b998ab2d60c62b016d8b000ced38e4a6a108dc78ee9af08a6f6a3eb18

SHA512
ff3fd0e49f47ed313951f80312be44b8c66a403fb4b889eab5a691efe51d57e0039dd2a8a67e5a8deb7230d647f69571e5840c691df0dff7d75c3ee1fcf10e52

Download Submit
C:\Program Files\Microsoft Games\Multiplayer\Backgammon\249669146

Filesize
215KB

MD5
0c093f7a8db1482126becc8c8ac4df2a

SHA1
df02a35c352136400ca434f2a3704a16a6bad237

SHA256
005bd0e6967d01a4ca22c9b5fbd8d60b57f582481b5be1c344d4b9983f37e79c

SHA512
c8b7e48464872b3cf6cd91ddf507c0364a022aaffc8642f0eebba6da9069308707631d4659e7479b8947db0d38b152450f9eaf3aaef30f56a71e6152f3af9b71

Download Submit
C:\Program Files\Microsoft Games\Solitaire\397043303

Filesize
963KB

MD5
6b904bdca812da9e4978546a29aa8e6e

SHA1
cf7f96feefb3e7bc42147fa99e88d8757f8fce5c

SHA256
5942838a772b71b7800fb7916908bb2a9557660f2643d3ee0c6465ecc3a73b33

SHA512
ce6ef49ba62bca86c9514fb5a5338d21398cc744ec47c9e526ed9606a098ac04361e33216a0bd46b9fcabeefa25ee6260d94aef0e824541bf92cdaa7a594f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\759736836

Filesize
307KB

MD5
f1a9b4b1f750bb90b7240f38aa3fd939

SHA1
4d630bd6b89f4ba0315ed37035d5e32775a7b969

SHA256
7cc9be747a138d8b9e716ee5f16188215b730af91d9fe954d8e172f515f5b498

SHA512
e4d6eea0e415d27f39224af29cef84bd55fb098b06c7aaee38d6eac34621ca3585bbae0d2fc2938bbe5755fd6d3bbbf47f9c4bc29a6e6914f761c1c76e4a107f

Download Submit
C:\Users\Admin\AppData\Local\Temp\freya_jkt48.log

Filesize
4KB

MD5
7df14f970f590c0b23bb134d888278bc

SHA1
2ee7658c0066f70f196ffd38683a0e948f128ace

SHA256
f578d34366cc6c7ed83aa3da2d4e086348ef87c7f6584180a2db0a07cf417c1e

SHA512
c1ea6e6f4be80c8fd9745bdc99022b4966ed74487cb11a3f10d4c4f9c5cf711062a2470f192e0a2e73b653497bfaee75f74ecbcbf97e6f3e205a61d45ea975fc

Download Submit
C:\Windows\System32\msconfig.exe

Filesize
57KB

MD5
cf45949cdbb39c953331cdcb9cec20f8

SHA1
6756f752141602424af234433dadedc12520165d

SHA256
34df739526c114bb89470b3b650946cbf7335cb4a2206489534fb05c1fc143a8

SHA512
b699b406bb4df8c6fb6339219ab1feaa5c7b2c39082d3761689e9b5326e52861bb8e2770d683838b05e649ff2022f413dc1e3f7e605a03077190f8950f9442be

Download Submit
memory/1780-333-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/1780-337-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1780-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/1780-400-0x000000001AC60000-0x000000001ACC0000-memory.dmp

Filesize
384KB

Download
memory/1780-1-0x00000000001D0000-0x00000000009E2000-memory.dmp

Filesize
8.1MB

Download
memory/1780-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download