bitpaymer | f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555

Analysis

max time kernel
141s
max time network
123s
platform
windows10_x64
resource
win10-en-20211014
submitted
20-10-2021 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DoppelPaymer.RANSOM.bin.exe
Size

3.2MB
MD5

8c54bbe3f191a8627bfeeb4cb02634a9
SHA1

2fc2ecbed153344557386e80a2fbd097bf795559
SHA256

f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555
SHA512

752d4bb22765373f7ee185acc42b73d5f2b75ae46ed995bf2f59486038a512eca30c5ecf040541cc2833df005ee17db00a0ec5ae802b677ff468f256ea53ecd2

Score

10^/10

bitpaymer xmrig backdoor discovery evasion exploit miner persistence ransomware trojan

Malware Config

Extracted

Path

C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.readme2unlock.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CAAAANAnUh+HCaXNAQIAABBmAAAApAAAh+SvG4V13HxJAN+D+R9ECeZXWRZVt1Yh/Y/dC9m18ePU 06iq815SzIcrA0YQeew0KRFltd8NEAdYTzyrcZPdjZZwMO7O+o6K9M3IB8g3ZIDYjGK8YNWhHvg6 w+f/5KMmKbSr0D7Lfolb5JFY3qxLoGCM1aUT5XOU+I0hK9CRra3vx5sRZIWlPGk9zs49DLL1EpGc aCJid5qzxoJox/Yh5WxxDwaMFYoVqEC4qnkhijyiUdzGL7XImjnMaPUsHGcylaLxed4R8ypM5voa 2vEgtJnqdck1R0lzzCvXDPMo6E8VtSG9om2l0I4UvS/sMmPb/IAFMZysBuJq35SCwtVHMQ==

Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2010_x64.log.html.readme2unlock.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CgAAALl+TSbtNVm6vh8BAgAAEGYAAACkAADY3he4J6RnrsL/cfqcMmE9j7gdx3kAR8aMShyRYpji 4Q9XlQtVfPrM2F6iDWnl+NnUL9RBiJv6z5Orcoiis0SGcdwd6eQ+u/65HfDp6kZljJkltqblgyci kHhbnP2NHAMbtdCRI498Z2D8GTtbJsx7xjL0bzbMIt6uzIdY0d6JYUG0lCwp6XNBdzjvrzREFBlf 94yeVabcPw3i1pUtI0Q/CxEJyg56jxf+dA4UhSUs8fqGLG3k2RMXprFVS1ehkllJF6GTD86CmwS7 jvz1USV/ZheYsLPC3fBbQvFFe/G94od5QVZbo+NNPTHVsSsbggt4nrJ/LpaBj/AelNlvOxU3

Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.readme2unlock.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA DgAAANF79F1zumbpnhnraycaAQIAABBmAAAApAAAgLZF4ygjFgf/pJjvw0QtXV62MxJ7XPeutww1 0wL7AEKfCWuyQF6wvJ/D81K9kiYRnrj61HHRHPr9QvV0SJJD1rsdHGO3ty8pFQN1UU+RqAkzi3/k Ud26mJJiazw++fzZHx1S62+lHqy2OcpIckSi0daKp1FEMEkpjU2RRDoiQ1BixpbeFcWnwW54SdC5 Oc/9zG6Kg4e4AvATCGHaLC/b1N85q4LR//QGYLknv7BY+13j3U6C47DBeGwWjlAcLGxNSNK6tTdG 3Ik65uNoCrHzKnvgizxS3hfKFca4OK3I6PP7yzyhvgDLFfNEnrnnQRUydTbb9aW06Qo2wfnSBkBs aA==

Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.readme2unlock.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA EAAAAE7uyE8UmPCqKg/EnmqUeQ8BAgAAEGYAAACkAACKGYe7h7trBIljuAVhCUSJKuXWYr6rwyV0 lTpSxR29AQ6RGeSU4QRfVBEUo4nil134bHUanxdIJZbxk+0wIx8B3LT05pFfPsUUqkqoryQqGM5F xbGDTCB6RCz1pi53gFzTqCYMDoOKL21RJKveckzDTp1O0WsbMXLCAGi7RqH3VWUnWrJhPh20NCPD BN62Cd1B8oj+AWX72sgpQcHD4WzakzsnuRguk9JeGHCCja0G1SDys5oVf9Q+QrE/vzJlfDoDcABE IJ9P918fJ655DCP8QkReIt+3rGZrD+ADaT1JvnP7OIMFPV8Vro/h7btQLhlrTrmaXBqAAMNs4Ya7 +j6m

Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.readme2unlock.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA DAAAAKqQZWtOoChiN21AUQECAAAQZgAAAKQAAHGzNlSF+cwl3xGpV6DhXIN8YiDJVqWYtLS4GBrt TffRLmoe/htKkJEarsKf/wkWRuUTNWqJ7TFz7igoW556TQ8HbqEVQUoI3KdHuFEi5mS/O3Z3pGgB M9syc5Hhk+NFCJnsPIsnYagZ/Cqa8l2N93gUwLRinh9tNSUe71lUKyEfz0x5DRqAh/vWNAeOvvtZ /zbqyM+Yyr8rD8qJSHDgg41GGgQkuZIwV9uvjintauRl77MPvQy68+0WTnrGjIQ377JlaM5m8yF2 cCU6FMPDzgBc5OBjhb/PVX3O7nIBlXrLq2LVbIdXOyEuGguZEcBpKd0AdZ0BIbIlrCHn1StTEGM=

Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.readme2unlock.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA DAAAADTLu/TrqPpa8mphSwECAAAQZgAAAKQAAP/a1g3woTcIOv2GWMJ0cHoyY0Z3FfDFgatfFBGR awIkgEoFelfwkCO6Ys9p/fFuR6mqq5InB8jdKG/8wfnaoFzrLITO+O4DZ6EeUnbUbna+bHEmUGUs M7RqF4QtZnvjrEmtB9ttjZPnr0fw+I2Dh1mz9GnXxkpg2l0lioUyTM8D1uTdxKenpyNbr7JyvaM5 GV2dUpN/MkvGHZSuubejLAerY6+hKEWBTOALE6A4WIlrH2e+EL+aTrZop5zhIUYkOm07g+4n2E0K xI6MOkm1hUN9KJrl1ohx2FZmojlnrqTzh2AUdj/O6d3KJ15I3oagSaUZLNcaPR11EX5kDIPpDhU=

Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log.readme2unlock.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA BgAAAJTSxZEmXQECAAAQZgAAAKQAAPoApyl9LMaXVeD/PRWu9XT4YrZPBpaiZ6/h0d4NRZkVxVyy nAUW+FiY78l525ZSJ5OxvDVHyyHU863sCiePSKFrI5ahEIy7kwVrQQMvpjAfJ09r9Ov/6swOYWgY kfYKAqxDCh0udo9Aga1Uc3Z1LqCjC5bpRiOcjJamhUYLWRoYxUuO33Yic7uh7MOzjGacC3M34NCp CrMwJbSJGrn4xRrnY92parXDYZgzT3nvx8V/YNSDOyCZb8JGGRLtTYADVcXhgLdr5eHzNF0MbZnl 1jcsZutiY/vJza5tSrkBX4Tgs+PMWdphXfuOBUv5ipXAtzvFq01aKWTOCGO8s/V+d7E=

Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log.readme2unlock.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CAAAAMrNiyki2biXAQIAABBmAAAApAAAUj2gzdOtcGCuuQ/5AfeMvZNJ4qPGNsTGPXVY4ZCoMFkg iEo6XeM4KQ1qgoIY5RF71o7xf907I4UP/8SHnSPr3c0V3xeqNEUr9d+/kukM0jD/2K06Q0+ITgZl qFMQBYRg/81sGcJ4wHL9eI7baFK+739j8GQ7GZU2tVCvvknJcoqVJ88GEtNdO3lUEmqnaV+KhOuU z84VkZf7KFxEJanMLlq3M10ZDwXIRmXXu/qS4xyxWiYszfCJc+5Ac3WyAHzHQCHllxTVbLf8Q0zj 94k3oLg744i0b3WvysW3AJIltSeTzaEZb/clrX3VngHM8nUW8KitqkRBTzwipx8lme2nSg==

Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\Boot\updaterevokesipolicy.p7b.readme2unlock.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CgAAAJqyDCn44WQTxocBAgAAEGYAAACkAABg7Q1bzxI/DEBN3N5OJjclJfK+xeiBKRdY7MKUH/Cn 4dm35H4UZsK/YFCkEv+Q7417sQ/QGlNrPUYaOvqHszyj7vPDaGs8N1/Hs9KD5CpP75b4Ki1M+0x+ SibX3WicgvK6RFEzN4w0a34FqhqJXlY7iuTowMGtE2eUi+qEmFmJjWCPbvyxztfJGqCBT4Z4XMg3 WLnvB8tzZrlGH5GasIsL2GwAgQBcsHkqd+B75fL1WsxlL4jvyfC13qeiBUVmhkLUwsQd5RvWTCBd FOs34s0HiMGt2AVq85D5H7ssu49GTiLkCkMHOSsVevmrN23/10SMxnvDTgR0mSTd8RKulcE2

Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path

C:\Boot\bg-BG\bootmgr.exe.mui.readme2unlock.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA EAAAAPF6LnOdXM1ZjXQZNRwQE5QBAgAAEGYAAACkAABWI5sgI2Gz3+8TPrdC+GdwdVdQ7y+F3bOZ LSq3Gv9c3CFojYqXzGWts4vhdhAtIbJ3pxN+k9XfxekrT9o+fx0JtGiTWSrdGt5gUz6fooFnedhs x7V6km6RdAOMYb1x2bUUMY28puH9OfkKmzJia6bLsnL+8RZDhNQcbMhg4/DxtmzX7w8N6Clc0CbB Ps7kVogX+YlsG3XUa3/vt346y6O3yEjpFX/YQ0WX4VkdKfyf43v+cLBo06btpIAMJrYLAFzvz1u9 LccHkWusrpbvscrUh+F10QLbhM/oXyB0Yk8xLgSHP1jroGlE1WKKEaJ27JS3LM4vvvMs2ip2ex76 QtGD

Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Signatures

BitPaymer
Bitpaymer is a Trojan horse that encrypts files on a computer.
ransomware backdoor bitpaymer
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

p1q135no.exe5JZpJVsk:mJSsMHmsdtc.exeZQKG30~1:XqCwN

pid process

1196 p1q135no.exe
1132 5JZpJVsk:mJSsMH
2940 msdtc.exe
4020 ZQKG30~1:XqCwN

pid	process
1196	p1q135no.exe
1132	5JZpJVsk:mJSsMH
2940	msdtc.exe
4020	ZQKG30~1:XqCwN

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1196	icacls.exe
980	icacls.exe
2568	takeown.exe
1716	takeown.exe
284	takeown.exe
360	icacls.exe
2336	takeown.exe
3804	icacls.exe
1960	icacls.exe
2100	icacls.exe
268	takeown.exe
208	icacls.exe
1444	icacls.exe
2084	takeown.exe
3056	takeown.exe
1852	icacls.exe
2976	icacls.exe
1036	takeown.exe
1684	icacls.exe
1440	takeown.exe
1520	icacls.exe
2144	icacls.exe
1948	takeown.exe
1876	icacls.exe
1036	takeown.exe
1684	icacls.exe
3536	takeown.exe
2288	icacls.exe
2248	icacls.exe
256	takeown.exe
1684	takeown.exe
884	takeown.exe
688	takeown.exe
1928	takeown.exe
3452	icacls.exe
1056	takeown.exe
1504	takeown.exe
3564	takeown.exe
1724	icacls.exe
1612	icacls.exe
2836	takeown.exe
360	takeown.exe
752	takeown.exe
1816	takeown.exe
2684	icacls.exe
1872	takeown.exe
3564	icacls.exe
1100	icacls.exe
420	icacls.exe
1636	icacls.exe
3376	takeown.exe
252	takeown.exe
1684	icacls.exe
360	icacls.exe
1072	takeown.exe
3528	takeown.exe
1816	icacls.exe
1304	icacls.exe
1724	takeown.exe
3040	icacls.exe
884	icacls.exe
2184	icacls.exe
3916	icacls.exe
3564	icacls.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies file permissions 1 TTPs 64 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
3444	icacls.exe
1724	icacls.exe
1808	icacls.exe
2992	takeown.exe
2564	takeown.exe
2704	takeown.exe
1636	icacls.exe
2500	takeown.exe
1768	icacls.exe
3644	takeown.exe
3032	icacls.exe
3548	takeown.exe
1496	takeown.exe
3376	icacls.exe
3884	takeown.exe
3620	takeown.exe
2180	takeown.exe
1712	takeown.exe
1252	takeown.exe
1948	takeown.exe
1808	takeown.exe
1932	icacls.exe
3052	takeown.exe
1340	takeown.exe
2084	takeown.exe
2184	takeown.exe
1216	icacls.exe
3572	takeown.exe
1108	icacls.exe
2084	takeown.exe
1752	icacls.exe
360	icacls.exe
3560	takeown.exe
208	takeown.exe
1108	icacls.exe
1944	icacls.exe
1216	icacls.exe
1444	icacls.exe
4084	takeown.exe
3796	icacls.exe
3376	takeown.exe
3032	takeown.exe
1428	takeown.exe
3536	takeown.exe
1808	icacls.exe
3932	icacls.exe
1944	icacls.exe
3500	icacls.exe
1336	takeown.exe
3448	takeown.exe
1644	icacls.exe
1176	icacls.exe
2140	icacls.exe
1724	icacls.exe
3500	takeown.exe
608	takeown.exe
3992	takeown.exe
1056	icacls.exe
3448	takeown.exe
1848	icacls.exe
3472	takeown.exe
3800	takeown.exe
3644	icacls.exe
260	icacls.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

p1q135no.exe5JZpJVsk:mJSsMHmsdtc.exeZQKG30~1:XqCwN

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p1q135no.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5JZpJVsk:mJSsMH
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ZQKG30~1:XqCwN

Drops file in System32 directory 2 IoCs

Processes:

5JZpJVsk:mJSsMH

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	5JZpJVsk:mJSsMH
File created	C:\Windows\System32\msdtc.exe:0	5JZpJVsk:mJSsMH

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

3756 vssadmin.exe
1508 vssadmin.exe

pid	process
3756	vssadmin.exe
1508	vssadmin.exe

NTFS ADS 2 IoCs

Processes:

p1q135no.exemsdtc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\5JZpJVsk:mJSsMH	p1q135no.exe
File created	C:\Users\Admin\AppData\Roaming\ZQKG30~1:XqCwN	msdtc.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

344 NOTEPAD.EXE

pid	process
344	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5JZpJVsk:mJSsMHmsdtc.exeZQKG30~1:XqCwNtaskmgr.exe

pid	process
1132	5JZpJVsk:mJSsMH
1132	5JZpJVsk:mJSsMH
1132	5JZpJVsk:mJSsMH
1132	5JZpJVsk:mJSsMH
1132	5JZpJVsk:mJSsMH
1132	5JZpJVsk:mJSsMH
1132	5JZpJVsk:mJSsMH
1132	5JZpJVsk:mJSsMH
1132	5JZpJVsk:mJSsMH
1132	5JZpJVsk:mJSsMH
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
2940	msdtc.exe
4020	ZQKG30~1:XqCwN
4020	ZQKG30~1:XqCwN
4020	ZQKG30~1:XqCwN
4020	ZQKG30~1:XqCwN
4020	ZQKG30~1:XqCwN
4020	ZQKG30~1:XqCwN
4020	ZQKG30~1:XqCwN
4020	ZQKG30~1:XqCwN
4020	ZQKG30~1:XqCwN
4020	ZQKG30~1:XqCwN
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3808 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exetakeown.exevssvc.exetakeown.exetakeown.exetakeown.exemsdtc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetaskmgr.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1168	takeown.exe
Token: SeTakeOwnershipPrivilege	836	takeown.exe
Token: SeBackupPrivilege	2348	vssvc.exe
Token: SeRestorePrivilege	2348	vssvc.exe
Token: SeAuditPrivilege	2348	vssvc.exe
Token: SeTakeOwnershipPrivilege	2020	takeown.exe
Token: SeTakeOwnershipPrivilege	2840	takeown.exe
Token: SeTakeOwnershipPrivilege	3928	takeown.exe
Token: SeIncreaseQuotaPrivilege	2940	msdtc.exe
Token: SeAssignPrimaryTokenPrivilege	2940	msdtc.exe
Token: SeTcbPrivilege	2940	msdtc.exe
Token: SeTakeOwnershipPrivilege	2084	takeown.exe
Token: SeTakeOwnershipPrivilege	4044	takeown.exe
Token: SeTakeOwnershipPrivilege	4084	takeown.exe
Token: SeTakeOwnershipPrivilege	2752	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	704	takeown.exe
Token: SeTakeOwnershipPrivilege	3100	takeown.exe
Token: SeTakeOwnershipPrivilege	3108	takeown.exe
Token: SeTakeOwnershipPrivilege	1060	takeown.exe
Token: SeTakeOwnershipPrivilege	1340	takeown.exe
Token: SeTakeOwnershipPrivilege	3948	takeown.exe
Token: SeTakeOwnershipPrivilege	872	takeown.exe
Token: SeTakeOwnershipPrivilege	2264	takeown.exe
Token: SeTakeOwnershipPrivilege	3264	takeown.exe
Token: SeTakeOwnershipPrivilege	3856	takeown.exe
Token: SeTakeOwnershipPrivilege	660	takeown.exe
Token: SeTakeOwnershipPrivilege	2816	takeown.exe
Token: SeTakeOwnershipPrivilege	1816	takeown.exe
Token: SeTakeOwnershipPrivilege	360	takeown.exe
Token: SeTakeOwnershipPrivilege	1244	takeown.exe
Token: SeTakeOwnershipPrivilege	3564	takeown.exe
Token: SeTakeOwnershipPrivilege	280	takeown.exe
Token: SeTakeOwnershipPrivilege	1728	takeown.exe
Token: SeTakeOwnershipPrivilege	3216	takeown.exe
Token: SeTakeOwnershipPrivilege	2008	takeown.exe
Token: SeTakeOwnershipPrivilege	1428	takeown.exe
Token: SeTakeOwnershipPrivilege	1632	takeown.exe
Token: SeTakeOwnershipPrivilege	3264	takeown.exe
Token: SeTakeOwnershipPrivilege	2704	takeown.exe
Token: SeTakeOwnershipPrivilege	3772	takeown.exe
Token: SeTakeOwnershipPrivilege	3840	takeown.exe
Token: SeTakeOwnershipPrivilege	3528	takeown.exe
Token: SeTakeOwnershipPrivilege	3260	takeown.exe
Token: SeTakeOwnershipPrivilege	1316	takeown.exe
Token: SeTakeOwnershipPrivilege	1056	takeown.exe
Token: SeTakeOwnershipPrivilege	2056	takeown.exe
Token: SeTakeOwnershipPrivilege	3516	takeown.exe
Token: SeTakeOwnershipPrivilege	1728	takeown.exe
Token: SeTakeOwnershipPrivilege	2492	takeown.exe
Token: SeTakeOwnershipPrivilege	4064	takeown.exe
Token: SeTakeOwnershipPrivilege	1164	takeown.exe
Token: SeTakeOwnershipPrivilege	1928	takeown.exe
Token: SeTakeOwnershipPrivilege	3264	takeown.exe
Token: SeTakeOwnershipPrivilege	1872	takeown.exe
Token: SeDebugPrivilege	3808	taskmgr.exe
Token: SeSystemProfilePrivilege	3808	taskmgr.exe
Token: SeCreateGlobalPrivilege	3808	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1496	takeown.exe
Token: SeTakeOwnershipPrivilege	1196	takeown.exe
Token: SeTakeOwnershipPrivilege	3180	takeown.exe
Token: SeTakeOwnershipPrivilege	3096	takeown.exe
Token: SeTakeOwnershipPrivilege	3572	takeown.exe
Token: SeTakeOwnershipPrivilege	260	takeown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

DoppelPaymer.RANSOM.bin.exe

pid process

1816 DoppelPaymer.RANSOM.bin.exe
1816 DoppelPaymer.RANSOM.bin.exe

pid	process
1816	DoppelPaymer.RANSOM.bin.exe
1816	DoppelPaymer.RANSOM.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DoppelPaymer.RANSOM.bin.exep1q135no.exe5JZpJVsk:mJSsMHmsdtc.exeZQKG30~1:XqCwN

description	pid	process	target process
PID 1816 wrote to memory of 1196	1816	DoppelPaymer.RANSOM.bin.exe	p1q135no.exe
PID 1816 wrote to memory of 1196	1816	DoppelPaymer.RANSOM.bin.exe	p1q135no.exe
PID 1816 wrote to memory of 1196	1816	DoppelPaymer.RANSOM.bin.exe	p1q135no.exe
PID 1196 wrote to memory of 1132	1196	p1q135no.exe	5JZpJVsk:mJSsMH
PID 1196 wrote to memory of 1132	1196	p1q135no.exe	5JZpJVsk:mJSsMH
PID 1196 wrote to memory of 1132	1196	p1q135no.exe	5JZpJVsk:mJSsMH
PID 1132 wrote to memory of 1168	1132	5JZpJVsk:mJSsMH	takeown.exe
PID 1132 wrote to memory of 1168	1132	5JZpJVsk:mJSsMH	takeown.exe
PID 1132 wrote to memory of 3100	1132	5JZpJVsk:mJSsMH	icacls.exe
PID 1132 wrote to memory of 3100	1132	5JZpJVsk:mJSsMH	icacls.exe
PID 1132 wrote to memory of 836	1132	5JZpJVsk:mJSsMH	takeown.exe
PID 1132 wrote to memory of 836	1132	5JZpJVsk:mJSsMH	takeown.exe
PID 1132 wrote to memory of 3540	1132	5JZpJVsk:mJSsMH	icacls.exe
PID 1132 wrote to memory of 3540	1132	5JZpJVsk:mJSsMH	icacls.exe
PID 1132 wrote to memory of 3756	1132	5JZpJVsk:mJSsMH	vssadmin.exe
PID 1132 wrote to memory of 3756	1132	5JZpJVsk:mJSsMH	vssadmin.exe
PID 1132 wrote to memory of 2020	1132	5JZpJVsk:mJSsMH	takeown.exe
PID 1132 wrote to memory of 2020	1132	5JZpJVsk:mJSsMH	takeown.exe
PID 1132 wrote to memory of 2120	1132	5JZpJVsk:mJSsMH	icacls.exe
PID 1132 wrote to memory of 2120	1132	5JZpJVsk:mJSsMH	icacls.exe
PID 2940 wrote to memory of 2840	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 2840	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 3500	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 3500	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 3928	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 3928	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 1612	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 1612	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 4020	2940	msdtc.exe	ZQKG30~1:XqCwN
PID 2940 wrote to memory of 4020	2940	msdtc.exe	ZQKG30~1:XqCwN
PID 2940 wrote to memory of 4020	2940	msdtc.exe	ZQKG30~1:XqCwN
PID 4020 wrote to memory of 2084	4020	ZQKG30~1:XqCwN	takeown.exe
PID 4020 wrote to memory of 2084	4020	ZQKG30~1:XqCwN	takeown.exe
PID 4020 wrote to memory of 1192	4020	ZQKG30~1:XqCwN	icacls.exe
PID 4020 wrote to memory of 1192	4020	ZQKG30~1:XqCwN	icacls.exe
PID 4020 wrote to memory of 4044	4020	ZQKG30~1:XqCwN	takeown.exe
PID 4020 wrote to memory of 4044	4020	ZQKG30~1:XqCwN	takeown.exe
PID 4020 wrote to memory of 2564	4020	ZQKG30~1:XqCwN	icacls.exe
PID 4020 wrote to memory of 2564	4020	ZQKG30~1:XqCwN	icacls.exe
PID 4020 wrote to memory of 1508	4020	ZQKG30~1:XqCwN	vssadmin.exe
PID 4020 wrote to memory of 1508	4020	ZQKG30~1:XqCwN	vssadmin.exe
PID 2940 wrote to memory of 4084	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 4084	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 4084	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 3960	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 3960	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 3960	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 2752	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 2752	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 2752	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 1944	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 1944	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 1944	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 1072	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 1072	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 1072	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 1248	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 1248	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 1248	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 704	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 704	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 704	2940	msdtc.exe	takeown.exe
PID 2940 wrote to memory of 3032	2940	msdtc.exe	icacls.exe
PID 2940 wrote to memory of 3032	2940	msdtc.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\DoppelPaymer.RANSOM.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DoppelPaymer.RANSOM.bin.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\gratemin\Desktop\p1q135no.exe
"C:\Users\gratemin\Desktop\p1q135no.exe" QWD5MRg95gUEfGVSvUGBY84h
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Roaming\5JZpJVsk:mJSsMH
C:\Users\Admin\AppData\Roaming\5JZpJVsk:mJSsMH QWD5MRg95gUEfGVSvUGBY84h C:\Users\gratemin\Desktop\p1q135no.exe
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\system32\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\NisSrv.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\NisSrv.exe" /reset
4⤵
PID:3100

C:\Windows\system32\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\MsMpEng.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\MsMpEng.exe" /reset
4⤵
PID:3540

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:3756

C:\Windows\system32\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Windows\System32\msdtc.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\Windows\System32\msdtc.exe /reset
4⤵
PID:2120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe QWD5MRg95gUEfGVSvUGBY84h
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\system32\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\NisSrv.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\NisSrv.exe" /reset
2⤵
PID:3500

C:\Windows\system32\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\MsMpEng.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\MsMpEng.exe" /reset
2⤵
PID:1612

C:\Users\Admin\AppData\Roaming\ZQKG30~1:XqCwN
C:\Users\Admin\AppData\Roaming\ZQKG30~1:XqCwN QWD5MRg95gUEfGVSvUGBY84h
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\system32\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\NisSrv.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\NisSrv.exe" /reset
3⤵
PID:1192

C:\Windows\system32\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\MsMpEng.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\MsMpEng.exe" /reset
3⤵
PID:2564

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1508

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\updaterevokesipolicy.p7b
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\updaterevokesipolicy.p7b /reset
2⤵
PID:3960

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\bg-BG\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\bg-BG\bootmgr.exe.mui /reset
2⤵
- Modifies file permissions
PID:1944

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\cs-CZ\bootmgr.exe.mui
2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\cs-CZ\bootmgr.exe.mui /reset
2⤵
PID:1248

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\cs-CZ\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\cs-CZ\memtest.exe.mui /reset
2⤵
- Modifies file permissions
PID:3032

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\da-DK\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\da-DK\bootmgr.exe.mui /reset
2⤵
PID:3052

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\da-DK\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\da-DK\memtest.exe.mui /reset
2⤵
PID:252

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\de-DE\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\de-DE\bootmgr.exe.mui /reset
2⤵
PID:1648

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\de-DE\memtest.exe.mui
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\de-DE\memtest.exe.mui /reset
2⤵
PID:2120

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\el-GR\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\el-GR\bootmgr.exe.mui /reset
2⤵
PID:1916

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\el-GR\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\el-GR\memtest.exe.mui /reset
2⤵
PID:3208

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\en-GB\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\en-GB\bootmgr.exe.mui /reset
2⤵
PID:2400

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\en-US\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\en-US\bootmgr.exe.mui /reset
2⤵
PID:1644

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\en-US\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\en-US\memtest.exe.mui /reset
2⤵
PID:1020

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\es-ES\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\es-ES\bootmgr.exe.mui /reset
2⤵
PID:3284

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\es-ES\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\es-ES\memtest.exe.mui /reset
2⤵
PID:4088

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\es-MX\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\es-MX\bootmgr.exe.mui /reset
2⤵
- Modifies file permissions
PID:1176

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\et-EE\bootmgr.exe.mui
2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\et-EE\bootmgr.exe.mui /reset
2⤵
PID:64

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\fi-FI\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\fi-FI\bootmgr.exe.mui /reset
2⤵
PID:864

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\fi-FI\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\fi-FI\memtest.exe.mui /reset
2⤵
- Modifies file permissions
PID:1724

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\fr-CA\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\fr-CA\bootmgr.exe.mui /reset
2⤵
PID:3708

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\fr-FR\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\fr-FR\bootmgr.exe.mui /reset
2⤵
PID:2144

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\fr-FR\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\fr-FR\memtest.exe.mui /reset
2⤵
PID:1712

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\hr-HR\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\hr-HR\bootmgr.exe.mui /reset
2⤵
PID:1100

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\hu-HU\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\hu-HU\bootmgr.exe.mui /reset
2⤵
PID:1352

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\hu-HU\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\hu-HU\memtest.exe.mui /reset
2⤵
PID:1740

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\it-IT\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\it-IT\bootmgr.exe.mui /reset
2⤵
PID:3860

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\it-IT\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\it-IT\memtest.exe.mui /reset
2⤵
PID:1020

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\ja-JP\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\ja-JP\bootmgr.exe.mui /reset
2⤵
PID:2968

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\ja-JP\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\ja-JP\memtest.exe.mui /reset
2⤵
PID:1420

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\ko-KR\bootmgr.exe.mui
2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\ko-KR\bootmgr.exe.mui /reset
2⤵
- Possible privilege escalation attempt
PID:1196

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\ko-KR\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\ko-KR\memtest.exe.mui /reset
2⤵
PID:200

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\lt-LT\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\lt-LT\bootmgr.exe.mui /reset
2⤵
PID:3096

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\lv-LV\bootmgr.exe.mui
2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\lv-LV\bootmgr.exe.mui /reset
2⤵
PID:1332

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\nb-NO\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\nb-NO\bootmgr.exe.mui /reset
2⤵
PID:948

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\nb-NO\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\nb-NO\memtest.exe.mui /reset
2⤵
PID:884

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\nl-NL\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\nl-NL\bootmgr.exe.mui /reset
2⤵
PID:1340

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\nl-NL\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\nl-NL\memtest.exe.mui /reset
2⤵
PID:3948

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\pl-PL\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\pl-PL\bootmgr.exe.mui /reset
2⤵
PID:1852

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\pl-PL\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\pl-PL\memtest.exe.mui /reset
2⤵
PID:2284

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\pt-BR\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\pt-BR\bootmgr.exe.mui /reset
2⤵
PID:1284

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\pt-BR\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\pt-BR\memtest.exe.mui /reset
2⤵
PID:3988

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\pt-PT\bootmgr.exe.mui
2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\pt-PT\bootmgr.exe.mui /reset
2⤵
PID:4084

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\pt-PT\memtest.exe.mui
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\pt-PT\memtest.exe.mui /reset
2⤵
- Possible privilege escalation attempt
PID:1816

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\qps-ploc\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\qps-ploc\bootmgr.exe.mui /reset
2⤵
PID:1036

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\qps-ploc\memtest.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\qps-ploc\memtest.exe.mui /reset
2⤵
PID:3120

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\Resources\en-US\bootres.dll.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\Resources\en-US\bootres.dll.mui /reset
2⤵
PID:3052

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\ro-RO\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\ro-RO\bootmgr.exe.mui /reset
2⤵
PID:3108

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\ru-RU\bootmgr.exe.mui
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:260

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\ru-RU\bootmgr.exe.mui /reset
2⤵
PID:3708

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\ru-RU\memtest.exe.mui
2⤵
PID:884

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\ru-RU\memtest.exe.mui /reset
2⤵
PID:2876

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\sk-SK\bootmgr.exe.mui
2⤵
PID:3228

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\sk-SK\bootmgr.exe.mui /reset
2⤵
PID:3004

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\sl-SI\bootmgr.exe.mui
2⤵
- Possible privilege escalation attempt
PID:1504

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\sl-SI\bootmgr.exe.mui /reset
2⤵
PID:3140

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\sr-Latn-RS\bootmgr.exe.mui
2⤵
PID:1852

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\sr-Latn-RS\bootmgr.exe.mui /reset
2⤵
PID:1376

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\sv-SE\bootmgr.exe.mui
2⤵
PID:2892

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\sv-SE\bootmgr.exe.mui /reset
2⤵
PID:1288

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\sv-SE\memtest.exe.mui
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2084

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\sv-SE\memtest.exe.mui /reset
2⤵
PID:3868

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\tr-TR\bootmgr.exe.mui
2⤵
PID:3856

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\tr-TR\bootmgr.exe.mui /reset
2⤵
PID:700

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\tr-TR\memtest.exe.mui
2⤵
PID:2952

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\tr-TR\memtest.exe.mui /reset
2⤵
PID:2968

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\uk-UA\bootmgr.exe.mui
2⤵
PID:1176

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\uk-UA\bootmgr.exe.mui /reset
2⤵
PID:1412

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\zh-CN\bootmgr.exe.mui
2⤵
PID:4000

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\zh-CN\bootmgr.exe.mui /reset
2⤵
PID:200

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\zh-CN\memtest.exe.mui
2⤵
PID:3184

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\zh-CN\memtest.exe.mui /reset
2⤵
PID:1488

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\zh-TW\bootmgr.exe.mui
2⤵
PID:3660

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\zh-TW\bootmgr.exe.mui /reset
2⤵
- Possible privilege escalation attempt
PID:3564

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F C:\Boot\zh-TW\memtest.exe.mui
2⤵
PID:1324

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe C:\Boot\zh-TW\memtest.exe.mui /reset
2⤵
PID:344

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings"
2⤵
PID:3068

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings" /reset
2⤵
PID:1444

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\AppData\Local\Application Data"
2⤵
PID:2180

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\AppData\Local\Application Data" /reset
2⤵
PID:900

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\AppData\Local\Application Data\History"
2⤵
PID:3928

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\AppData\Local\Application Data\History" /reset
2⤵
PID:1372

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\INetCache\Content.IE5"
2⤵
PID:1612

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\INetCache\Content.IE5" /reset
2⤵
PID:3040

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files"
2⤵
PID:1376

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files" /reset
2⤵
- Possible privilege escalation attempt
PID:1304

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\AppData\Local\Application Data\Temporary Internet Files"
2⤵
- Modifies file permissions
PID:3800

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\AppData\Local\Application Data\Temporary Internet Files" /reset
2⤵
PID:3084

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Application Data"
2⤵
PID:800

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Application Data" /reset
2⤵
PID:2068

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Cookies"
2⤵
PID:688

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Cookies" /reset
2⤵
PID:1944

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Documents\My Music"
2⤵
PID:1196

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Documents\My Music" /reset
2⤵
- Modifies file permissions
PID:1808

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Documents\My Pictures"
2⤵
PID:1168

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Documents\My Pictures" /reset
2⤵
PID:2688

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Documents\My Videos"
2⤵
PID:620

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Documents\My Videos" /reset
2⤵
PID:3564

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Local Settings"
2⤵
- Possible privilege escalation attempt
PID:256

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Local Settings" /reset
2⤵
PID:2364

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\My Documents"
2⤵
PID:884

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\My Documents" /reset
2⤵
PID:2876

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\NetHood"
2⤵
PID:2896

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\NetHood" /reset
2⤵
PID:1712

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\PrintHood"
2⤵
PID:1916

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\PrintHood" /reset
2⤵
PID:1752

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Recent"
2⤵
PID:2360

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Recent" /reset
2⤵
PID:916

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\SendTo"
2⤵
PID:3368

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\SendTo" /reset
2⤵
PID:1192

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Start Menu"
2⤵
PID:3444

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Start Menu" /reset
2⤵
PID:1948

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Templates"
2⤵
PID:2836

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Templates" /reset
2⤵
PID:2972

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data"
2⤵
PID:688

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data" /reset
2⤵
PID:1944

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Desktop"
2⤵
PID:704

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Desktop" /reset
2⤵
PID:980

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Documents"
2⤵
PID:3100

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Documents" /reset
2⤵
PID:268

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Documents\My Music"
2⤵
- Possible privilege escalation attempt
PID:284

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Documents\My Music" /reset
2⤵
PID:1060

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Documents\My Pictures"
2⤵
PID:280

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Documents\My Pictures" /reset
2⤵
- Modifies file permissions
PID:1636

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Documents\My Videos"
2⤵
PID:2144

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Documents\My Videos" /reset
2⤵
- Possible privilege escalation attempt
PID:2976

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
2⤵
PID:2896

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /reset
2⤵
PID:3448

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
2⤵
PID:3696

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /reset
2⤵
PID:1612

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
2⤵
PID:1100

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /reset
2⤵
PID:1848

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
2⤵
PID:3368

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /reset
2⤵
PID:208

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
2⤵
PID:3860

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /reset
2⤵
PID:3044

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
2⤵
PID:3620

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /reset
2⤵
PID:3932

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
2⤵
PID:3056

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /reset
2⤵
PID:2500

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
2⤵
PID:1696

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /reset
2⤵
PID:1684

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
2⤵
PID:980

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /reset
2⤵
PID:3568

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
2⤵
- Modifies file permissions
PID:3572

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /reset
2⤵
PID:620

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
2⤵
PID:260

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /reset
2⤵
PID:2020

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
2⤵
PID:1636

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /reset
2⤵
PID:2144

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
2⤵
PID:2976

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /reset
2⤵
PID:1440

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
2⤵
- Modifies file permissions
PID:3448

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /reset
2⤵
PID:2264

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
2⤵
PID:1612

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /reset
2⤵
PID:916

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
2⤵
PID:1848

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /reset
2⤵
PID:2424

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1948

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /reset
2⤵
- Modifies file permissions
PID:3644

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
2⤵
PID:2836

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /reset
2⤵
PID:3556

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
2⤵
- Modifies file permissions
PID:3032

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /reset
2⤵
- Possible privilege escalation attempt
PID:360

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
2⤵
PID:3136

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /reset
2⤵
- Possible privilege escalation attempt
PID:2100

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Provisioning\countrytable.xml"
2⤵
PID:1488

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Provisioning\countrytable.xml" /reset
2⤵
PID:3096

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk"
2⤵
PID:3756

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk" /reset
2⤵
PID:276

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk"
2⤵
PID:256

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk" /reset
2⤵
PID:884

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk"
2⤵
PID:3276

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk" /reset
2⤵
PID:3004

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk"
2⤵
PID:828

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk" /reset
2⤵
PID:2436

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk"
2⤵
PID:932

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk" /reset
2⤵
PID:1852

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log"
2⤵
PID:2288

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log" /reset
2⤵
- Possible privilege escalation attempt
PID:1100

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log"
2⤵
PID:1928

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log" /reset
2⤵
PID:2172

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log"
2⤵
PID:3444

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log" /reset
2⤵
PID:2248

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log"
2⤵
PID:3992

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log" /reset
2⤵
PID:3524

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log"
2⤵
PID:1300

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log" /reset
2⤵
PID:1036

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log"
2⤵
PID:1696

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset
2⤵
PID:1332

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log"
2⤵
PID:3100

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset
2⤵
- Possible privilege escalation attempt
PID:3564

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log"
2⤵
PID:1716

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset
2⤵
PID:264

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log"
2⤵
PID:276

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset
2⤵
- Modifies file permissions
PID:260

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log"
2⤵
PID:3680

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset
2⤵
PID:1336

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
2⤵
PID:3548

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset
2⤵
PID:872

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
2⤵
- Possible privilege escalation attempt
PID:1440

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset
2⤵
PID:3448

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
2⤵
PID:1216

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset
2⤵
PID:1132

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
2⤵
PID:916

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset
2⤵
PID:3368

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
2⤵
PID:1936

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset
2⤵
PID:1948

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
2⤵
PID:3620

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset
2⤵
PID:3932

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
2⤵
PID:1176

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset
2⤵
PID:1300

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
2⤵
PID:1860

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset
2⤵
PID:4000

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
2⤵
- Possible privilege escalation attempt
PID:1684

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset
2⤵
- Possible privilege escalation attempt
PID:980

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
2⤵
PID:3284

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset
2⤵
PID:272

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log"
2⤵
PID:1876

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset
2⤵
PID:280

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log"
2⤵
PID:3192

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset
2⤵
PID:1340

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log"
2⤵
- Modifies file permissions
PID:1336

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset
2⤵
PID:3548

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log"
2⤵
PID:828

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset
2⤵
PID:752

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log"
2⤵
PID:920

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset
2⤵
PID:1252

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
2⤵
- Possible privilege escalation attempt
PID:2336

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset
2⤵
PID:1492

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
2⤵
PID:3248

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset
2⤵
PID:3796

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
2⤵
PID:836

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset
2⤵
PID:608

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
2⤵
PID:2836

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset
2⤵
PID:200

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
2⤵
PID:3792

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset
2⤵
- Modifies file permissions
PID:1944

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
2⤵
PID:3540

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset
2⤵
PID:2688

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
2⤵
- Possible privilege escalation attempt
PID:268

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset
2⤵
- Possible privilege escalation attempt
PID:3804

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
2⤵
PID:1324

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset
2⤵
PID:3708

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
2⤵
PID:2140

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset
2⤵
- Possible privilege escalation attempt
PID:1636

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
2⤵
PID:2840

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset
2⤵
- Modifies file permissions
PID:1108

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Storage Health\StorageHealthModel.dat"
2⤵
PID:1620

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Storage Health\StorageHealthModel.dat" /reset
2⤵
PID:3976

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"
2⤵
- Possible privilege escalation attempt
PID:752

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /reset
2⤵
PID:920

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml"
2⤵
PID:3080

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml" /reset
2⤵
PID:1644

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml"
2⤵
PID:3452

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml" /reset
2⤵
PID:2424

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml"
2⤵
PID:212

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml" /reset
2⤵
- Modifies file permissions
PID:3444

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml"
2⤵
PID:3992

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml" /reset
2⤵
PID:660

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"
2⤵
PID:2500

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /reset
2⤵
PID:1808

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml"
2⤵
PID:1944

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml" /reset
2⤵
PID:4000

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"
2⤵
PID:2688

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /reset
2⤵
PID:268

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"
2⤵
PID:3788

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /reset
2⤵
- Possible privilege escalation attempt
PID:1520

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml"
2⤵
- Possible privilege escalation attempt
PID:884

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml" /reset
2⤵
PID:2364

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"
2⤵
PID:2180

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /reset
2⤵
PID:2008

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml"
2⤵
PID:1336

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml" /reset
2⤵
PID:3500

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml"
2⤵
PID:3040

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml" /reset
2⤵
PID:1584

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml"
2⤵
PID:2716

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml" /reset
2⤵
PID:3028

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml"
2⤵
- Modifies file permissions
PID:2084

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml" /reset
2⤵
PID:1112

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"
2⤵
PID:3868

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /reset
2⤵
PID:1936

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml"
2⤵
- Possible privilege escalation attempt
PID:3056

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml" /reset
2⤵
PID:3932

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"
2⤵
PID:200

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /reset
2⤵
PID:1960

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"
2⤵
PID:3184

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /reset
2⤵
PID:3568

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml"
2⤵
PID:2100

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml" /reset
2⤵
- Modifies file permissions
PID:1724

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"
2⤵
PID:2688

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /reset
2⤵
PID:3052

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml"
2⤵
PID:3096

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml" /reset
2⤵
PID:3756

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml"
2⤵
PID:884

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml" /reset
2⤵
PID:276

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml"
2⤵
- Modifies file permissions
PID:2180

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml" /reset
2⤵
PID:3948

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml"
2⤵
PID:1336

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml" /reset
2⤵
PID:3500

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"
2⤵
PID:3040

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /reset
2⤵
PID:1164

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml"
2⤵
PID:2716

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml" /reset
2⤵
PID:1644

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"
2⤵
PID:4044

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /reset
2⤵
PID:2172

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"
2⤵
PID:984

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /reset
2⤵
PID:3260

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml"
2⤵
PID:688

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml" /reset
2⤵
PID:1124

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\VdiState.xml"
2⤵
- Modifies file permissions
PID:2500

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\VdiState.xml" /reset
2⤵
PID:1860

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
2⤵
PID:1412

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /reset
2⤵
PID:1932

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
2⤵
PID:2944

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /reset
2⤵
PID:3572

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
2⤵
PID:3144

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /reset
2⤵
PID:3884

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
2⤵
PID:1232

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /reset
2⤵
- Possible privilege escalation attempt
PID:2144

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:932

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:1852

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3448

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2664

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:916

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:208

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3644

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3856

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:4048

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:820

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1036

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:660

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3120

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3920

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:2992

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1056

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:2564

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1332

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2688

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:620

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1444

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2020

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2436

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1336

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1852

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3448

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2596

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1848

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:208

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3248

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1832

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3796

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:820

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1036

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:660

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2500

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:1808

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:3376

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1056

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1724

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3804

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:1876

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:620

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2008

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1372

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2144

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:1712

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3040

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:3448

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:1216

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3692

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:592

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1492

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2248

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3056

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3992

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Possible privilege escalation attempt
PID:1036

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1960

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3184

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1300

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Possible privilege escalation attempt
PID:3376

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:980

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Possible privilege escalation attempt
PID:1724

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1332

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1920

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:884

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3548

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:420

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:1428

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:3500

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1612

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:920

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3368

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3860

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2172

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3076

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1936

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3260

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:820

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:704

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1860

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1944

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Possible privilege escalation attempt
PID:3564

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2944

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3572

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1768

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1520

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:276

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1108

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:1752

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3976

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1336

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1164

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3928

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1100

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:1848

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:208

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:984

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3084

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:3796

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3560

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:200

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2836

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3540

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1932

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3108

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3788

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3144

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:272

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:2140

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2976

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3948

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2264

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:4084

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2892

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1132

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1612

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1192

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3044

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3692

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:2704

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3524

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2184

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3056

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:820

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:704

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1860

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2100

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3536

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2944

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3456

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:1768

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1876

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:620

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:260

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1752

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3696

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1336

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3500

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2664

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3080

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3860

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2424

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3076

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1948

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3260

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3556

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2500

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:660

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1944

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat"
2⤵
PID:1696

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat" /reset
2⤵
PID:252

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat"
2⤵
PID:3100

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat" /reset
2⤵
PID:1716

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat"
2⤵
PID:3096

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat" /reset
2⤵
PID:3708

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat"
2⤵
PID:1444

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat" /reset
2⤵
PID:3276

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat"
2⤵
PID:2008

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat" /reset
2⤵
PID:420

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1712

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:2288

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2716

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3868

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3800

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1644

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1492

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:212

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3444

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:64

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1208

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1960

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3184

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2992

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2056

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2688

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3804

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:276

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1108

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2360

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1916

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1372

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1164

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1216

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1584

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1100

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:4052

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:208

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Possible privilege escalation attempt
PID:688

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:360

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Possible privilege escalation attempt
PID:1816

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3560

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:4000

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1412

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3032

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:1932

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3572

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:1724

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3100

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2240

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3096

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1920

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:260

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3720

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3696

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3448

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3028

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:608

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:1252

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3868

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Possible privilege escalation attempt
PID:1928

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3856

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3076

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3524

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3796

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3920

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1316

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1488

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1944

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:1808

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3376

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:1684

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:3052

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3096

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:884

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1444

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3976

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:932

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2144

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1336

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1612

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1192

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:3644

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3996

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2424

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:360

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3932

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3560

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3136

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:704

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3568

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2992

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1324

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2056

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2944

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1620

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3096

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2020

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1444

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3472

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1852

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:3040

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1336

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2664

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1192

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3860

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3996

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1492

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3076

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:3932

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:3560

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:820

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:704

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1932

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2992

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:252

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:3884

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:1684

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1620

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1340

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2020

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1372

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3472

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:4064

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3040

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:3452

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1100

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3080

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3248

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2996

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1948

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2836

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:64

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1860

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1168

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2152

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:264

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2992

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:252

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2056

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1684

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2360

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1340

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2976

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1372

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2596

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1976

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:4044

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:3500

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2716

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1848

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3800

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3620

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:984

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1816

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3920

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:4000

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3788

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3032

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3564

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2564

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1648

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3708

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1920

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1440

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:872

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2892

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:1216

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3448

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:836

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2172

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:208

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:916

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:1644

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3264

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:200

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1056

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1900

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1412

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:1960

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms"
2⤵
PID:1036

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms" /reset
2⤵
PID:1520

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms"
2⤵
PID:1696

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms" /reset
2⤵
PID:2992

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm"
2⤵
PID:3780

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm" /reset
2⤵
PID:3456

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm"
2⤵
PID:1332

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm" /reset
2⤵
- Possible privilege escalation attempt
PID:420

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm"
2⤵
PID:1132

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm" /reset
2⤵
PID:620

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm"
2⤵
PID:3472

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm" /reset
2⤵
PID:2144

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\NisBase.vdm"
2⤵
PID:4084

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\NisBase.vdm" /reset
2⤵
PID:1612

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\NisFull.vdm"
2⤵
- Modifies file permissions
PID:608

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\NisFull.vdm" /reset
2⤵
PID:1252

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender Advanced Threat Protection\Cache"
2⤵
PID:3692

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender Advanced Threat Protection\Cache" /reset
2⤵
PID:2424

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\confident.cov"
2⤵
PID:3524

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\confident.cov" /reset
2⤵
PID:3260

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\fyi.cov"
2⤵
PID:1412

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\fyi.cov" /reset
2⤵
PID:4000

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\generic.cov"
2⤵
PID:3144

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\generic.cov" /reset
2⤵
PID:1520

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\urgent.cov"
2⤵
PID:3564

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\urgent.cov" /reset
2⤵
PID:1324

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov"
2⤵
PID:1648

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov" /reset
2⤵
PID:3456

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov"
2⤵
PID:1332

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov" /reset
2⤵
PID:420

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov"
2⤵
PID:1164

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov" /reset
2⤵
PID:620

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov"
2⤵
PID:2568

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov" /reset
2⤵
PID:828

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\confident.cov"
2⤵
PID:1336

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\confident.cov" /reset
2⤵
PID:2972

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\fyi.cov"
2⤵
PID:208

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\fyi.cov" /reset
2⤵
PID:3860

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\generic.cov"
2⤵
PID:2728

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\generic.cov" /reset
2⤵
PID:2060

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\urgent.cov"
2⤵
PID:3056

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\urgent.cov" /reset
2⤵
- Possible privilege escalation attempt
PID:2184

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\confident.cov"
2⤵
PID:2836

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\confident.cov" /reset
2⤵
PID:3536

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\fyi.cov"
2⤵
PID:1860

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\fyi.cov" /reset
2⤵
PID:2500

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\generic.cov"
2⤵
PID:3756

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\generic.cov" /reset
2⤵
PID:3548

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\urgent.cov"
2⤵
PID:2688

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\urgent.cov" /reset
2⤵
PID:276

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\de-DE\WelcomeFax.tif"
2⤵
PID:1876

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\de-DE\WelcomeFax.tif" /reset
2⤵
PID:532

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif"
2⤵
PID:3096

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif" /reset
2⤵
- Modifies file permissions
PID:1108

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\fr-FR\WelcomeFax.tif"
2⤵
PID:1444

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\fr-FR\WelcomeFax.tif" /reset
2⤵
PID:2876

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\ja-JP\WelcomeFax.tif"
2⤵
PID:2568

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\ja-JP\WelcomeFax.tif" /reset
2⤵
PID:2144

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg"
2⤵
PID:4064

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg" /reset
2⤵
- Possible privilege escalation attempt
PID:1612

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Start Menu"
2⤵
PID:1856

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Start Menu" /reset
2⤵
PID:1540

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Templates"
2⤵
PID:3996

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Templates" /reset
2⤵
PID:3556

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"
2⤵
- Modifies file permissions
PID:2184

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /reset
2⤵
PID:1488

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"
2⤵
PID:3536

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /reset
2⤵
PID:1860

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"
2⤵
PID:2500

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /reset
2⤵
PID:2240

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"
2⤵
- Modifies file permissions
PID:3548

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /reset
2⤵
PID:3376

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"
2⤵
PID:252

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /reset
2⤵
PID:2056

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log"
2⤵
PID:3744

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log" /reset
2⤵
PID:872

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log"
2⤵
PID:2892

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log" /reset
2⤵
PID:1164

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log"
2⤵
- Modifies file permissions
PID:3472

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log" /reset
2⤵
PID:3928

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log"
2⤵
- Modifies file permissions
PID:4084

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log" /reset
2⤵
PID:4044

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log"
2⤵
PID:3500

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log" /reset
2⤵
PID:2208

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log"
2⤵
PID:3916

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset
2⤵
- Possible privilege escalation attempt
PID:2684

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log"
2⤵
PID:916

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset
2⤵
PID:2364

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log"
2⤵
PID:200

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset
2⤵
PID:3056

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log"
2⤵
PID:3620

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset
2⤵
PID:2184

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log"
2⤵
PID:3524

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset
2⤵
PID:3136

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
2⤵
- Possible privilege escalation attempt
PID:1036

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset
2⤵
PID:1932

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
2⤵
PID:3788

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset
2⤵
PID:2992

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
2⤵
PID:1944

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset
2⤵
PID:2264

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
2⤵
PID:1876

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset
2⤵
PID:532

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"
2⤵
PID:3096

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset
2⤵
PID:1108

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
2⤵
PID:1444

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset
2⤵
PID:828

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
2⤵
PID:3040

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset
2⤵
PID:1100

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
2⤵
PID:2164

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset
2⤵
PID:1380

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
2⤵
PID:3652

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset
2⤵
PID:3116

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"
2⤵
PID:948

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset
2⤵
PID:1540

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log"
2⤵
PID:2704

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset
2⤵
PID:3056

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log"
2⤵
- Modifies file permissions
PID:3620

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset
2⤵
PID:2184

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log"
2⤵
PID:3524

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset
2⤵
PID:1860

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log"
2⤵
- Possible privilege escalation attempt
PID:1716

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset
2⤵
PID:3884

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log"
2⤵
PID:1324

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset
2⤵
PID:1648

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
2⤵
PID:1944

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset
2⤵
- Possible privilege escalation attempt
PID:1684

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
2⤵
PID:2020

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset
2⤵
PID:872

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
2⤵
PID:2492

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset
2⤵
PID:1164

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
2⤵
PID:2876

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset
2⤵
PID:828

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
2⤵
PID:1376

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset
2⤵
PID:1100

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
2⤵
PID:2164

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset
2⤵
PID:1380

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
2⤵
PID:688

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset
2⤵
PID:1252

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
2⤵
PID:2356

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset
2⤵
PID:2364

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
2⤵
PID:200

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset
2⤵
PID:1900

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"
2⤵
PID:64

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset
2⤵
PID:2184

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:704

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2500

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3564

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3884

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:3376

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2564

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2056

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3696

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:932

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3044

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3948

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1852

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2084

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2248

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:752

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2336

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2664

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2612

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1628

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2120

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:948

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1540

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2424

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3056

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:268

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:868

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1168

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1316

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1716

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3120

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1324

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1648

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1944

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1684

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:1712

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:872

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2492

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1428

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Possible privilege escalation attempt
PID:2568

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:828

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2716

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3912

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2208

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:3916

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3388

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1252

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3076

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3556

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Possible privilege escalation attempt
PID:2836

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:4000

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3136

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1412

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:704

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3572

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:2240

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3456

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Possible privilege escalation attempt
PID:252

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3708

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:884

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2020

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3028

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3044

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3472

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:1852

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
- Modifies file permissions
PID:3992

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Possible privilege escalation attempt
PID:2248

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3452

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2336

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3860

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:2728

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3084

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
- Modifies file permissions
PID:1056

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:3932

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3556

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"
2⤵
PID:984

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset
2⤵
PID:3056

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3808

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RestoreHide.gif.readme2unlock.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\PRICache\1601268389\3068621934.pri
MD5
95ca1f57e0c1bdbd5a1a730fe9dbf141

SHA1
f7494d16f3c2815abecca1e74fb1a980aadb1151

SHA256
a8d03441421cd454674e855f3a951f41ba35cc3a15e11d7280992ed9450bfca2

SHA512
8846e11a14cd4a3e13990ca2d2ea35bb7ec4bc569ea316ba294aa1d7e449674c9127993074557b2c9144577457430cc9a657bca7cce9815fbbe263424fc26ace

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\PRICache\4183903823\1195458082.pri
MD5
fb503b0c49382cbcdc00a8f74f449b21

SHA1
e2bde2ff0afc545b181f0f74d20f7c6c58027ea0

SHA256
b005b2a3e8e525abf6634c51931ce7b1369b2555043b41f2fc14fffac4f621d4

SHA512
72f1b7d7dff9e47c85e7521cbfe46286c2826ca96775220e00f017df6ec9dc827df98e1c092f6bb786933bae9202bbaa5273dc7c3eedf6955a5b863750a25486

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Temp\22288.tmp
MD5
486a88f7533f3daae7d4f523a583c0e7

SHA1
0d6b0cc4e0a759e6d597dc7e59494bbf182d662f

SHA256
62afd19d510d1497063593d8f441af3815b9caeffdbe494e1480ebc796129473

SHA512
22539deeb66e775da6f4bdd5ecb4b951ed050b721ae1ff8caf1108054798674de0c05e733361022817b0b13f0cc0c2655c511371e26d69967fabe0ea85958f47

Download Submit
C:\Users\Admin\AppData\Roaming\5JZpJVsk:mJSsMH
MD5
69061465ae5067710402c832412e2dae

SHA1
963f6c4e2f7c202fd1676eee27c160de2ad2f774

SHA256
b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9

SHA512
d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b

Download Submit
C:\Users\Admin\AppData\Roaming\5JZpJVsk:mJSsMH
MD5
69061465ae5067710402c832412e2dae

SHA1
963f6c4e2f7c202fd1676eee27c160de2ad2f774

SHA256
b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9

SHA512
d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b

Download Submit
C:\Users\Admin\AppData\Roaming\ZQKG30~1:XqCwN
MD5
69061465ae5067710402c832412e2dae

SHA1
963f6c4e2f7c202fd1676eee27c160de2ad2f774

SHA256
b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9

SHA512
d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b

Download Submit
C:\Users\Admin\AppData\Roaming\ZQKG30~1:XqCwN
MD5
69061465ae5067710402c832412e2dae

SHA1
963f6c4e2f7c202fd1676eee27c160de2ad2f774

SHA256
b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9

SHA512
d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b

Download Submit
C:\Users\Admin\Desktop\RestoreHide.gif.readme2unlock.txt
MD5
d5c57d4069678b1bcde24d9a4e42a880

SHA1
95f4d49f8e2e336f163bf68ddadea9ae61c568e2

SHA256
8a426254830a8450d98b8cbf618c49fceb22bc1b6d6d01bd2a7fe454e522d346

SHA512
1cb94610a6d92a2b9a6369f751d0199c1f5dfcd5d6a93f39fa7ea9550807f500285e33870b6642f19bde59dc5fc94e89b02c01bd56d96cf812fea2d307ee096e

Download Submit
C:\Users\gratemin\Desktop\p1q135no.exe
MD5
69061465ae5067710402c832412e2dae

SHA1
963f6c4e2f7c202fd1676eee27c160de2ad2f774

SHA256
b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9

SHA512
d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b

Download Submit
C:\Users\gratemin\Desktop\p1q135no.exe
MD5
69061465ae5067710402c832412e2dae

SHA1
963f6c4e2f7c202fd1676eee27c160de2ad2f774

SHA256
b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9

SHA512
d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b

Download Submit
C:\Windows\System32\msdtc.exe
MD5
69061465ae5067710402c832412e2dae

SHA1
963f6c4e2f7c202fd1676eee27c160de2ad2f774

SHA256
b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9

SHA512
d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b

Download Submit
C:\Windows\System32\msdtc.exe
MD5
69061465ae5067710402c832412e2dae

SHA1
963f6c4e2f7c202fd1676eee27c160de2ad2f774

SHA256
b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9

SHA512
d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b

Download Submit
memory/64-185-0x0000000000000000-mapping.dmp

Download
memory/252-163-0x0000000000000000-mapping.dmp

Download
memory/280-190-0x0000000000000000-mapping.dmp

Download
memory/360-184-0x0000000000000000-mapping.dmp

Download
memory/660-178-0x0000000000000000-mapping.dmp

Download
memory/704-158-0x0000000000000000-mapping.dmp

Download
memory/836-128-0x0000000000000000-mapping.dmp

Download
memory/864-187-0x0000000000000000-mapping.dmp

Download
memory/872-170-0x0000000000000000-mapping.dmp

Download
memory/1020-177-0x0000000000000000-mapping.dmp

Download
memory/1060-164-0x0000000000000000-mapping.dmp

Download
memory/1072-156-0x0000000000000000-mapping.dmp

Download
memory/1132-120-0x0000000000000000-mapping.dmp

Download
memory/1168-126-0x0000000000000000-mapping.dmp

Download
memory/1176-183-0x0000000000000000-mapping.dmp

Download
memory/1192-147-0x0000000000000000-mapping.dmp

Download
memory/1196-123-0x0000000000BF0000-0x0000000000BF6000-memory.dmp

Filesize
24KB

Download
memory/1196-118-0x0000000001400000-0x0000000001728000-memory.dmp

Filesize
3.2MB

Download
memory/1196-115-0x0000000000000000-mapping.dmp

Download
memory/1244-186-0x0000000000000000-mapping.dmp

Download
memory/1248-157-0x0000000000000000-mapping.dmp

Download
memory/1340-166-0x0000000000000000-mapping.dmp

Download
memory/1508-151-0x0000000000000000-mapping.dmp

Download
memory/1612-139-0x0000000000000000-mapping.dmp

Download
memory/1644-175-0x0000000000000000-mapping.dmp

Download
memory/1648-165-0x0000000000000000-mapping.dmp

Download
memory/1712-195-0x0000000000000000-mapping.dmp

Download
memory/1724-189-0x0000000000000000-mapping.dmp

Download
memory/1728-192-0x0000000000000000-mapping.dmp

Download
memory/1816-182-0x0000000000000000-mapping.dmp

Download
memory/1916-169-0x0000000000000000-mapping.dmp

Download
memory/1944-155-0x0000000000000000-mapping.dmp

Download
memory/2008-196-0x0000000000000000-mapping.dmp

Download
memory/2020-131-0x0000000000000000-mapping.dmp

Download
memory/2084-146-0x0000000000000000-mapping.dmp

Download
memory/2120-167-0x0000000000000000-mapping.dmp

Download
memory/2120-132-0x0000000000000000-mapping.dmp

Download
memory/2144-193-0x0000000000000000-mapping.dmp

Download
memory/2264-172-0x0000000000000000-mapping.dmp

Download
memory/2400-173-0x0000000000000000-mapping.dmp

Download
memory/2564-150-0x0000000000000000-mapping.dmp

Download
memory/2752-154-0x0000000000000000-mapping.dmp

Download
memory/2816-180-0x0000000000000000-mapping.dmp

Download
memory/2840-136-0x0000000000000000-mapping.dmp

Download
memory/3032-159-0x0000000000000000-mapping.dmp

Download
memory/3052-161-0x0000000000000000-mapping.dmp

Download
memory/3100-127-0x0000000000000000-mapping.dmp

Download
memory/3100-160-0x0000000000000000-mapping.dmp

Download
memory/3108-162-0x0000000000000000-mapping.dmp

Download
memory/3208-171-0x0000000000000000-mapping.dmp

Download
memory/3216-194-0x0000000000000000-mapping.dmp

Download
memory/3264-174-0x0000000000000000-mapping.dmp

Download
memory/3284-179-0x0000000000000000-mapping.dmp

Download
memory/3500-137-0x0000000000000000-mapping.dmp

Download
memory/3540-129-0x0000000000000000-mapping.dmp

Download
memory/3564-188-0x0000000000000000-mapping.dmp

Download
memory/3708-191-0x0000000000000000-mapping.dmp

Download
memory/3756-130-0x0000000000000000-mapping.dmp

Download
memory/3856-176-0x0000000000000000-mapping.dmp

Download
memory/3928-138-0x0000000000000000-mapping.dmp

Download
memory/3948-168-0x0000000000000000-mapping.dmp

Download
memory/3960-153-0x0000000000000000-mapping.dmp

Download
memory/4020-141-0x0000000000000000-mapping.dmp

Download
memory/4020-149-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/4044-148-0x0000000000000000-mapping.dmp

Download
memory/4084-152-0x0000000000000000-mapping.dmp

Download
memory/4088-181-0x0000000000000000-mapping.dmp

Download