Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 11:56
Static task
static1
Behavioral task
behavioral1
Sample
DoppelPaymer.RANSOM.bin.exe
Resource
win10-en-20211014
General
-
Target
DoppelPaymer.RANSOM.bin.exe
-
Size
3.2MB
-
MD5
8c54bbe3f191a8627bfeeb4cb02634a9
-
SHA1
2fc2ecbed153344557386e80a2fbd097bf795559
-
SHA256
f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555
-
SHA512
752d4bb22765373f7ee185acc42b73d5f2b75ae46ed995bf2f59486038a512eca30c5ecf040541cc2833df005ee17db00a0ec5ae802b677ff468f256ea53ecd2
Malware Config
Extracted
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2010_x64.log.html.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\Boot\updaterevokesipolicy.p7b.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\Boot\bg-BG\bootmgr.exe.mui.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Signatures
-
BitPaymer
Bitpaymer is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
p1q135no.exe5JZpJVsk:mJSsMHmsdtc.exeZQKG30~1:XqCwNpid process 1196 p1q135no.exe 1132 5JZpJVsk:mJSsMH 2940 msdtc.exe 4020 ZQKG30~1:XqCwN -
Possible privilege escalation attempt 64 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1196 icacls.exe 980 icacls.exe 2568 takeown.exe 1716 takeown.exe 284 takeown.exe 360 icacls.exe 2336 takeown.exe 3804 icacls.exe 1960 icacls.exe 2100 icacls.exe 268 takeown.exe 208 icacls.exe 1444 icacls.exe 2084 takeown.exe 3056 takeown.exe 1852 icacls.exe 2976 icacls.exe 1036 takeown.exe 1684 icacls.exe 1440 takeown.exe 1520 icacls.exe 2144 icacls.exe 1948 takeown.exe 1876 icacls.exe 1036 takeown.exe 1684 icacls.exe 3536 takeown.exe 2288 icacls.exe 2248 icacls.exe 256 takeown.exe 1684 takeown.exe 884 takeown.exe 688 takeown.exe 1928 takeown.exe 3452 icacls.exe 1056 takeown.exe 1504 takeown.exe 3564 takeown.exe 1724 icacls.exe 1612 icacls.exe 2836 takeown.exe 360 takeown.exe 752 takeown.exe 1816 takeown.exe 2684 icacls.exe 1872 takeown.exe 3564 icacls.exe 1100 icacls.exe 420 icacls.exe 1636 icacls.exe 3376 takeown.exe 252 takeown.exe 1684 icacls.exe 360 icacls.exe 1072 takeown.exe 3528 takeown.exe 1816 icacls.exe 1304 icacls.exe 1724 takeown.exe 3040 icacls.exe 884 icacls.exe 2184 icacls.exe 3916 icacls.exe 3564 icacls.exe -
Sets service image path in registry 2 TTPs
-
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 3444 icacls.exe 1724 icacls.exe 1808 icacls.exe 2992 takeown.exe 2564 takeown.exe 2704 takeown.exe 1636 icacls.exe 2500 takeown.exe 1768 icacls.exe 3644 takeown.exe 3032 icacls.exe 3548 takeown.exe 1496 takeown.exe 3376 icacls.exe 3884 takeown.exe 3620 takeown.exe 2180 takeown.exe 1712 takeown.exe 1252 takeown.exe 1948 takeown.exe 1808 takeown.exe 1932 icacls.exe 3052 takeown.exe 1340 takeown.exe 2084 takeown.exe 2184 takeown.exe 1216 icacls.exe 3572 takeown.exe 1108 icacls.exe 2084 takeown.exe 1752 icacls.exe 360 icacls.exe 3560 takeown.exe 208 takeown.exe 1108 icacls.exe 1944 icacls.exe 1216 icacls.exe 1444 icacls.exe 4084 takeown.exe 3796 icacls.exe 3376 takeown.exe 3032 takeown.exe 1428 takeown.exe 3536 takeown.exe 1808 icacls.exe 3932 icacls.exe 1944 icacls.exe 3500 icacls.exe 1336 takeown.exe 3448 takeown.exe 1644 icacls.exe 1176 icacls.exe 2140 icacls.exe 1724 icacls.exe 3500 takeown.exe 608 takeown.exe 3992 takeown.exe 1056 icacls.exe 3448 takeown.exe 1848 icacls.exe 3472 takeown.exe 3800 takeown.exe 3644 icacls.exe 260 icacls.exe -
Processes:
p1q135no.exe5JZpJVsk:mJSsMHmsdtc.exeZQKG30~1:XqCwNdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA p1q135no.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5JZpJVsk:mJSsMH Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdtc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ZQKG30~1:XqCwN -
Drops file in System32 directory 2 IoCs
Processes:
5JZpJVsk:mJSsMHdescription ioc process File opened for modification C:\Windows\System32\msdtc.exe 5JZpJVsk:mJSsMH File created C:\Windows\System32\msdtc.exe:0 5JZpJVsk:mJSsMH -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\1195458082.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3756 vssadmin.exe 1508 vssadmin.exe -
NTFS ADS 2 IoCs
Processes:
p1q135no.exemsdtc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\5JZpJVsk:mJSsMH p1q135no.exe File created C:\Users\Admin\AppData\Roaming\ZQKG30~1:XqCwN msdtc.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 344 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5JZpJVsk:mJSsMHmsdtc.exeZQKG30~1:XqCwNtaskmgr.exepid process 1132 5JZpJVsk:mJSsMH 1132 5JZpJVsk:mJSsMH 1132 5JZpJVsk:mJSsMH 1132 5JZpJVsk:mJSsMH 1132 5JZpJVsk:mJSsMH 1132 5JZpJVsk:mJSsMH 1132 5JZpJVsk:mJSsMH 1132 5JZpJVsk:mJSsMH 1132 5JZpJVsk:mJSsMH 1132 5JZpJVsk:mJSsMH 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 2940 msdtc.exe 4020 ZQKG30~1:XqCwN 4020 ZQKG30~1:XqCwN 4020 ZQKG30~1:XqCwN 4020 ZQKG30~1:XqCwN 4020 ZQKG30~1:XqCwN 4020 ZQKG30~1:XqCwN 4020 ZQKG30~1:XqCwN 4020 ZQKG30~1:XqCwN 4020 ZQKG30~1:XqCwN 4020 ZQKG30~1:XqCwN 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3808 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
takeown.exetakeown.exevssvc.exetakeown.exetakeown.exetakeown.exemsdtc.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetaskmgr.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1168 takeown.exe Token: SeTakeOwnershipPrivilege 836 takeown.exe Token: SeBackupPrivilege 2348 vssvc.exe Token: SeRestorePrivilege 2348 vssvc.exe Token: SeAuditPrivilege 2348 vssvc.exe Token: SeTakeOwnershipPrivilege 2020 takeown.exe Token: SeTakeOwnershipPrivilege 2840 takeown.exe Token: SeTakeOwnershipPrivilege 3928 takeown.exe Token: SeIncreaseQuotaPrivilege 2940 msdtc.exe Token: SeAssignPrimaryTokenPrivilege 2940 msdtc.exe Token: SeTcbPrivilege 2940 msdtc.exe Token: SeTakeOwnershipPrivilege 2084 takeown.exe Token: SeTakeOwnershipPrivilege 4044 takeown.exe Token: SeTakeOwnershipPrivilege 4084 takeown.exe Token: SeTakeOwnershipPrivilege 2752 takeown.exe Token: SeTakeOwnershipPrivilege 1072 takeown.exe Token: SeTakeOwnershipPrivilege 704 takeown.exe Token: SeTakeOwnershipPrivilege 3100 takeown.exe Token: SeTakeOwnershipPrivilege 3108 takeown.exe Token: SeTakeOwnershipPrivilege 1060 takeown.exe Token: SeTakeOwnershipPrivilege 1340 takeown.exe Token: SeTakeOwnershipPrivilege 3948 takeown.exe Token: SeTakeOwnershipPrivilege 872 takeown.exe Token: SeTakeOwnershipPrivilege 2264 takeown.exe Token: SeTakeOwnershipPrivilege 3264 takeown.exe Token: SeTakeOwnershipPrivilege 3856 takeown.exe Token: SeTakeOwnershipPrivilege 660 takeown.exe Token: SeTakeOwnershipPrivilege 2816 takeown.exe Token: SeTakeOwnershipPrivilege 1816 takeown.exe Token: SeTakeOwnershipPrivilege 360 takeown.exe Token: SeTakeOwnershipPrivilege 1244 takeown.exe Token: SeTakeOwnershipPrivilege 3564 takeown.exe Token: SeTakeOwnershipPrivilege 280 takeown.exe Token: SeTakeOwnershipPrivilege 1728 takeown.exe Token: SeTakeOwnershipPrivilege 3216 takeown.exe Token: SeTakeOwnershipPrivilege 2008 takeown.exe Token: SeTakeOwnershipPrivilege 1428 takeown.exe Token: SeTakeOwnershipPrivilege 1632 takeown.exe Token: SeTakeOwnershipPrivilege 3264 takeown.exe Token: SeTakeOwnershipPrivilege 2704 takeown.exe Token: SeTakeOwnershipPrivilege 3772 takeown.exe Token: SeTakeOwnershipPrivilege 3840 takeown.exe Token: SeTakeOwnershipPrivilege 3528 takeown.exe Token: SeTakeOwnershipPrivilege 3260 takeown.exe Token: SeTakeOwnershipPrivilege 1316 takeown.exe Token: SeTakeOwnershipPrivilege 1056 takeown.exe Token: SeTakeOwnershipPrivilege 2056 takeown.exe Token: SeTakeOwnershipPrivilege 3516 takeown.exe Token: SeTakeOwnershipPrivilege 1728 takeown.exe Token: SeTakeOwnershipPrivilege 2492 takeown.exe Token: SeTakeOwnershipPrivilege 4064 takeown.exe Token: SeTakeOwnershipPrivilege 1164 takeown.exe Token: SeTakeOwnershipPrivilege 1928 takeown.exe Token: SeTakeOwnershipPrivilege 3264 takeown.exe Token: SeTakeOwnershipPrivilege 1872 takeown.exe Token: SeDebugPrivilege 3808 taskmgr.exe Token: SeSystemProfilePrivilege 3808 taskmgr.exe Token: SeCreateGlobalPrivilege 3808 taskmgr.exe Token: SeTakeOwnershipPrivilege 1496 takeown.exe Token: SeTakeOwnershipPrivilege 1196 takeown.exe Token: SeTakeOwnershipPrivilege 3180 takeown.exe Token: SeTakeOwnershipPrivilege 3096 takeown.exe Token: SeTakeOwnershipPrivilege 3572 takeown.exe Token: SeTakeOwnershipPrivilege 260 takeown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe 3808 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
DoppelPaymer.RANSOM.bin.exepid process 1816 DoppelPaymer.RANSOM.bin.exe 1816 DoppelPaymer.RANSOM.bin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DoppelPaymer.RANSOM.bin.exep1q135no.exe5JZpJVsk:mJSsMHmsdtc.exeZQKG30~1:XqCwNdescription pid process target process PID 1816 wrote to memory of 1196 1816 DoppelPaymer.RANSOM.bin.exe p1q135no.exe PID 1816 wrote to memory of 1196 1816 DoppelPaymer.RANSOM.bin.exe p1q135no.exe PID 1816 wrote to memory of 1196 1816 DoppelPaymer.RANSOM.bin.exe p1q135no.exe PID 1196 wrote to memory of 1132 1196 p1q135no.exe 5JZpJVsk:mJSsMH PID 1196 wrote to memory of 1132 1196 p1q135no.exe 5JZpJVsk:mJSsMH PID 1196 wrote to memory of 1132 1196 p1q135no.exe 5JZpJVsk:mJSsMH PID 1132 wrote to memory of 1168 1132 5JZpJVsk:mJSsMH takeown.exe PID 1132 wrote to memory of 1168 1132 5JZpJVsk:mJSsMH takeown.exe PID 1132 wrote to memory of 3100 1132 5JZpJVsk:mJSsMH icacls.exe PID 1132 wrote to memory of 3100 1132 5JZpJVsk:mJSsMH icacls.exe PID 1132 wrote to memory of 836 1132 5JZpJVsk:mJSsMH takeown.exe PID 1132 wrote to memory of 836 1132 5JZpJVsk:mJSsMH takeown.exe PID 1132 wrote to memory of 3540 1132 5JZpJVsk:mJSsMH icacls.exe PID 1132 wrote to memory of 3540 1132 5JZpJVsk:mJSsMH icacls.exe PID 1132 wrote to memory of 3756 1132 5JZpJVsk:mJSsMH vssadmin.exe PID 1132 wrote to memory of 3756 1132 5JZpJVsk:mJSsMH vssadmin.exe PID 1132 wrote to memory of 2020 1132 5JZpJVsk:mJSsMH takeown.exe PID 1132 wrote to memory of 2020 1132 5JZpJVsk:mJSsMH takeown.exe PID 1132 wrote to memory of 2120 1132 5JZpJVsk:mJSsMH icacls.exe PID 1132 wrote to memory of 2120 1132 5JZpJVsk:mJSsMH icacls.exe PID 2940 wrote to memory of 2840 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 2840 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 3500 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 3500 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 3928 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 3928 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 1612 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 1612 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 4020 2940 msdtc.exe ZQKG30~1:XqCwN PID 2940 wrote to memory of 4020 2940 msdtc.exe ZQKG30~1:XqCwN PID 2940 wrote to memory of 4020 2940 msdtc.exe ZQKG30~1:XqCwN PID 4020 wrote to memory of 2084 4020 ZQKG30~1:XqCwN takeown.exe PID 4020 wrote to memory of 2084 4020 ZQKG30~1:XqCwN takeown.exe PID 4020 wrote to memory of 1192 4020 ZQKG30~1:XqCwN icacls.exe PID 4020 wrote to memory of 1192 4020 ZQKG30~1:XqCwN icacls.exe PID 4020 wrote to memory of 4044 4020 ZQKG30~1:XqCwN takeown.exe PID 4020 wrote to memory of 4044 4020 ZQKG30~1:XqCwN takeown.exe PID 4020 wrote to memory of 2564 4020 ZQKG30~1:XqCwN icacls.exe PID 4020 wrote to memory of 2564 4020 ZQKG30~1:XqCwN icacls.exe PID 4020 wrote to memory of 1508 4020 ZQKG30~1:XqCwN vssadmin.exe PID 4020 wrote to memory of 1508 4020 ZQKG30~1:XqCwN vssadmin.exe PID 2940 wrote to memory of 4084 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 4084 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 4084 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 3960 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 3960 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 3960 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 2752 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 2752 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 2752 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 1944 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 1944 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 1944 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 1072 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 1072 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 1072 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 1248 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 1248 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 1248 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 704 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 704 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 704 2940 msdtc.exe takeown.exe PID 2940 wrote to memory of 3032 2940 msdtc.exe icacls.exe PID 2940 wrote to memory of 3032 2940 msdtc.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DoppelPaymer.RANSOM.bin.exe"C:\Users\Admin\AppData\Local\Temp\DoppelPaymer.RANSOM.bin.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\gratemin\Desktop\p1q135no.exe"C:\Users\gratemin\Desktop\p1q135no.exe" QWD5MRg95gUEfGVSvUGBY84h2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\5JZpJVsk:mJSsMHC:\Users\Admin\AppData\Roaming\5JZpJVsk:mJSsMH QWD5MRg95gUEfGVSvUGBY84h C:\Users\gratemin\Desktop\p1q135no.exe3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\NisSrv.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\NisSrv.exe" /reset4⤵
-
C:\Windows\system32\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\MsMpEng.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\MsMpEng.exe" /reset4⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\System32\msdtc.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\System32\msdtc.exe /reset4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe QWD5MRg95gUEfGVSvUGBY84h1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\NisSrv.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\NisSrv.exe" /reset2⤵
-
C:\Windows\system32\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\MsMpEng.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\MsMpEng.exe" /reset2⤵
-
C:\Users\Admin\AppData\Roaming\ZQKG30~1:XqCwNC:\Users\Admin\AppData\Roaming\ZQKG30~1:XqCwN QWD5MRg95gUEfGVSvUGBY84h2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\NisSrv.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\NisSrv.exe" /reset3⤵
-
C:\Windows\system32\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Program Files\Windows Defender\MsMpEng.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe "C:\Program Files\Windows Defender\MsMpEng.exe" /reset3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\updaterevokesipolicy.p7b2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\updaterevokesipolicy.p7b /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\bg-BG\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\bg-BG\bootmgr.exe.mui /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\cs-CZ\bootmgr.exe.mui2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\cs-CZ\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\cs-CZ\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\cs-CZ\memtest.exe.mui /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\da-DK\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\da-DK\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\da-DK\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\da-DK\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\de-DE\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\de-DE\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\de-DE\memtest.exe.mui2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\de-DE\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\el-GR\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\el-GR\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\el-GR\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\el-GR\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\en-GB\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\en-GB\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\en-US\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\en-US\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\en-US\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\en-US\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\es-ES\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\es-ES\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\es-ES\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\es-ES\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\es-MX\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\es-MX\bootmgr.exe.mui /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\et-EE\bootmgr.exe.mui2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\et-EE\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\fi-FI\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\fi-FI\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\fi-FI\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\fi-FI\memtest.exe.mui /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\fr-CA\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\fr-CA\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\fr-FR\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\fr-FR\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\fr-FR\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\fr-FR\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\hr-HR\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\hr-HR\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\hu-HU\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\hu-HU\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\hu-HU\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\hu-HU\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\it-IT\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\it-IT\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\it-IT\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\it-IT\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\ja-JP\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\ja-JP\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\ja-JP\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\ja-JP\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\ko-KR\bootmgr.exe.mui2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\ko-KR\bootmgr.exe.mui /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\ko-KR\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\ko-KR\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\lt-LT\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\lt-LT\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\lv-LV\bootmgr.exe.mui2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\lv-LV\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\nb-NO\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\nb-NO\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\nb-NO\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\nb-NO\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\nl-NL\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\nl-NL\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\nl-NL\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\nl-NL\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\pl-PL\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\pl-PL\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\pl-PL\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\pl-PL\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\pt-BR\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\pt-BR\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\pt-BR\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\pt-BR\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\pt-PT\bootmgr.exe.mui2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\pt-PT\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\pt-PT\memtest.exe.mui2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\pt-PT\memtest.exe.mui /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\qps-ploc\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\qps-ploc\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\qps-ploc\memtest.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\qps-ploc\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\Resources\en-US\bootres.dll.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\Resources\en-US\bootres.dll.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\ro-RO\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\ro-RO\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\ru-RU\bootmgr.exe.mui2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\ru-RU\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\ru-RU\memtest.exe.mui2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\ru-RU\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\sk-SK\bootmgr.exe.mui2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\sk-SK\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\sl-SI\bootmgr.exe.mui2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\sl-SI\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\sr-Latn-RS\bootmgr.exe.mui2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\sr-Latn-RS\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\sv-SE\bootmgr.exe.mui2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\sv-SE\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\sv-SE\memtest.exe.mui2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\sv-SE\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\tr-TR\bootmgr.exe.mui2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\tr-TR\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\tr-TR\memtest.exe.mui2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\tr-TR\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\uk-UA\bootmgr.exe.mui2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\uk-UA\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\zh-CN\bootmgr.exe.mui2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\zh-CN\bootmgr.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\zh-CN\memtest.exe.mui2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\zh-CN\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\zh-TW\bootmgr.exe.mui2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\zh-TW\bootmgr.exe.mui /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Boot\zh-TW\memtest.exe.mui2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Boot\zh-TW\memtest.exe.mui /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\AppData\Local\Application Data"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\AppData\Local\Application Data" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\AppData\Local\Application Data\History"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\AppData\Local\Application Data\History" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\INetCache\Content.IE5"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\INetCache\Content.IE5" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\AppData\Local\Application Data\Temporary Internet Files"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\AppData\Local\Application Data\Temporary Internet Files" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Application Data"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Application Data" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Cookies"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Cookies" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Documents\My Music"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Documents\My Music" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Documents\My Pictures"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Documents\My Pictures" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Documents\My Videos"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Documents\My Videos" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Local Settings"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Local Settings" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\My Documents"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\My Documents" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\NetHood"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\NetHood" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\PrintHood"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\PrintHood" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Recent"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Recent" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\SendTo"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\SendTo" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Start Menu"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Start Menu" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\Admin\Templates"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\Admin\Templates" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Desktop"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Desktop" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Documents"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Documents" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Documents\My Music"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Documents\My Music" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Documents\My Pictures"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Documents\My Pictures" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Documents\My Videos"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Documents\My Videos" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\AppV\Setup\OfficeIntegrator.ps1"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Provisioning\countrytable.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Provisioning\countrytable.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.chk" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Storage Health\StorageHealthModel.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Storage Health\StorageHealthModel.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\VdiState.xml"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\InboxTemplates\VdiState.xml" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\NisBase.vdm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\NisBase.vdm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\NisFull.vdm"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Default\NisFull.vdm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender Advanced Threat Protection\Cache"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender Advanced Threat Protection\Cache" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\confident.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\confident.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\fyi.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\fyi.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\generic.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\generic.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\urgent.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\de-DE\urgent.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\confident.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\confident.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\fyi.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\fyi.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\generic.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\generic.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\urgent.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\fr-FR\urgent.cov" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\confident.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\confident.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\fyi.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\fyi.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\generic.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\generic.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\urgent.cov"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ja-JP\urgent.cov" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\de-DE\WelcomeFax.tif"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\de-DE\WelcomeFax.tif" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\fr-FR\WelcomeFax.tif"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\fr-FR\WelcomeFax.tif" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\ja-JP\WelcomeFax.tif"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\ja-JP\WelcomeFax.tif" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Start Menu"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Start Menu" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Application Data\Templates"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Application Data\Templates" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.chk" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edb00001.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00001.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbres00002.jrs" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\edbtmp.log" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.jfm" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat"2⤵
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Documents and Settings\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\ActivationStore.dat" /reset2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RestoreHide.gif.readme2unlock.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\PRICache\1601268389\3068621934.priMD5
95ca1f57e0c1bdbd5a1a730fe9dbf141
SHA1f7494d16f3c2815abecca1e74fb1a980aadb1151
SHA256a8d03441421cd454674e855f3a951f41ba35cc3a15e11d7280992ed9450bfca2
SHA5128846e11a14cd4a3e13990ca2d2ea35bb7ec4bc569ea316ba294aa1d7e449674c9127993074557b2c9144577457430cc9a657bca7cce9815fbbe263424fc26ace
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Microsoft\Windows\PRICache\4183903823\1195458082.priMD5
fb503b0c49382cbcdc00a8f74f449b21
SHA1e2bde2ff0afc545b181f0f74d20f7c6c58027ea0
SHA256b005b2a3e8e525abf6634c51931ce7b1369b2555043b41f2fc14fffac4f621d4
SHA51272f1b7d7dff9e47c85e7521cbfe46286c2826ca96775220e00f017df6ec9dc827df98e1c092f6bb786933bae9202bbaa5273dc7c3eedf6955a5b863750a25486
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Temp\22288.tmpMD5
486a88f7533f3daae7d4f523a583c0e7
SHA10d6b0cc4e0a759e6d597dc7e59494bbf182d662f
SHA25662afd19d510d1497063593d8f441af3815b9caeffdbe494e1480ebc796129473
SHA51222539deeb66e775da6f4bdd5ecb4b951ed050b721ae1ff8caf1108054798674de0c05e733361022817b0b13f0cc0c2655c511371e26d69967fabe0ea85958f47
-
C:\Users\Admin\AppData\Roaming\5JZpJVsk:mJSsMHMD5
69061465ae5067710402c832412e2dae
SHA1963f6c4e2f7c202fd1676eee27c160de2ad2f774
SHA256b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
SHA512d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b
-
C:\Users\Admin\AppData\Roaming\5JZpJVsk:mJSsMHMD5
69061465ae5067710402c832412e2dae
SHA1963f6c4e2f7c202fd1676eee27c160de2ad2f774
SHA256b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
SHA512d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b
-
C:\Users\Admin\AppData\Roaming\ZQKG30~1:XqCwNMD5
69061465ae5067710402c832412e2dae
SHA1963f6c4e2f7c202fd1676eee27c160de2ad2f774
SHA256b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
SHA512d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b
-
C:\Users\Admin\AppData\Roaming\ZQKG30~1:XqCwNMD5
69061465ae5067710402c832412e2dae
SHA1963f6c4e2f7c202fd1676eee27c160de2ad2f774
SHA256b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
SHA512d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b
-
C:\Users\Admin\Desktop\RestoreHide.gif.readme2unlock.txtMD5
d5c57d4069678b1bcde24d9a4e42a880
SHA195f4d49f8e2e336f163bf68ddadea9ae61c568e2
SHA2568a426254830a8450d98b8cbf618c49fceb22bc1b6d6d01bd2a7fe454e522d346
SHA5121cb94610a6d92a2b9a6369f751d0199c1f5dfcd5d6a93f39fa7ea9550807f500285e33870b6642f19bde59dc5fc94e89b02c01bd56d96cf812fea2d307ee096e
-
C:\Users\gratemin\Desktop\p1q135no.exeMD5
69061465ae5067710402c832412e2dae
SHA1963f6c4e2f7c202fd1676eee27c160de2ad2f774
SHA256b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
SHA512d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b
-
C:\Users\gratemin\Desktop\p1q135no.exeMD5
69061465ae5067710402c832412e2dae
SHA1963f6c4e2f7c202fd1676eee27c160de2ad2f774
SHA256b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
SHA512d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b
-
C:\Windows\System32\msdtc.exeMD5
69061465ae5067710402c832412e2dae
SHA1963f6c4e2f7c202fd1676eee27c160de2ad2f774
SHA256b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
SHA512d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b
-
C:\Windows\System32\msdtc.exeMD5
69061465ae5067710402c832412e2dae
SHA1963f6c4e2f7c202fd1676eee27c160de2ad2f774
SHA256b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
SHA512d83f8a8ff393c6e5900b07d49d06f74f9066088eb2e31c1e864e5175368190f4be99dc18c3b40726921b0b4c6e905d4a2f7ec325ad676cb9dfcffb153b16465b
-
memory/64-185-0x0000000000000000-mapping.dmp
-
memory/252-163-0x0000000000000000-mapping.dmp
-
memory/280-190-0x0000000000000000-mapping.dmp
-
memory/360-184-0x0000000000000000-mapping.dmp
-
memory/660-178-0x0000000000000000-mapping.dmp
-
memory/704-158-0x0000000000000000-mapping.dmp
-
memory/836-128-0x0000000000000000-mapping.dmp
-
memory/864-187-0x0000000000000000-mapping.dmp
-
memory/872-170-0x0000000000000000-mapping.dmp
-
memory/1020-177-0x0000000000000000-mapping.dmp
-
memory/1060-164-0x0000000000000000-mapping.dmp
-
memory/1072-156-0x0000000000000000-mapping.dmp
-
memory/1132-120-0x0000000000000000-mapping.dmp
-
memory/1168-126-0x0000000000000000-mapping.dmp
-
memory/1176-183-0x0000000000000000-mapping.dmp
-
memory/1192-147-0x0000000000000000-mapping.dmp
-
memory/1196-123-0x0000000000BF0000-0x0000000000BF6000-memory.dmpFilesize
24KB
-
memory/1196-118-0x0000000001400000-0x0000000001728000-memory.dmpFilesize
3.2MB
-
memory/1196-115-0x0000000000000000-mapping.dmp
-
memory/1244-186-0x0000000000000000-mapping.dmp
-
memory/1248-157-0x0000000000000000-mapping.dmp
-
memory/1340-166-0x0000000000000000-mapping.dmp
-
memory/1508-151-0x0000000000000000-mapping.dmp
-
memory/1612-139-0x0000000000000000-mapping.dmp
-
memory/1644-175-0x0000000000000000-mapping.dmp
-
memory/1648-165-0x0000000000000000-mapping.dmp
-
memory/1712-195-0x0000000000000000-mapping.dmp
-
memory/1724-189-0x0000000000000000-mapping.dmp
-
memory/1728-192-0x0000000000000000-mapping.dmp
-
memory/1816-182-0x0000000000000000-mapping.dmp
-
memory/1916-169-0x0000000000000000-mapping.dmp
-
memory/1944-155-0x0000000000000000-mapping.dmp
-
memory/2008-196-0x0000000000000000-mapping.dmp
-
memory/2020-131-0x0000000000000000-mapping.dmp
-
memory/2084-146-0x0000000000000000-mapping.dmp
-
memory/2120-167-0x0000000000000000-mapping.dmp
-
memory/2120-132-0x0000000000000000-mapping.dmp
-
memory/2144-193-0x0000000000000000-mapping.dmp
-
memory/2264-172-0x0000000000000000-mapping.dmp
-
memory/2400-173-0x0000000000000000-mapping.dmp
-
memory/2564-150-0x0000000000000000-mapping.dmp
-
memory/2752-154-0x0000000000000000-mapping.dmp
-
memory/2816-180-0x0000000000000000-mapping.dmp
-
memory/2840-136-0x0000000000000000-mapping.dmp
-
memory/3032-159-0x0000000000000000-mapping.dmp
-
memory/3052-161-0x0000000000000000-mapping.dmp
-
memory/3100-127-0x0000000000000000-mapping.dmp
-
memory/3100-160-0x0000000000000000-mapping.dmp
-
memory/3108-162-0x0000000000000000-mapping.dmp
-
memory/3208-171-0x0000000000000000-mapping.dmp
-
memory/3216-194-0x0000000000000000-mapping.dmp
-
memory/3264-174-0x0000000000000000-mapping.dmp
-
memory/3284-179-0x0000000000000000-mapping.dmp
-
memory/3500-137-0x0000000000000000-mapping.dmp
-
memory/3540-129-0x0000000000000000-mapping.dmp
-
memory/3564-188-0x0000000000000000-mapping.dmp
-
memory/3708-191-0x0000000000000000-mapping.dmp
-
memory/3756-130-0x0000000000000000-mapping.dmp
-
memory/3856-176-0x0000000000000000-mapping.dmp
-
memory/3928-138-0x0000000000000000-mapping.dmp
-
memory/3948-168-0x0000000000000000-mapping.dmp
-
memory/3960-153-0x0000000000000000-mapping.dmp
-
memory/4020-141-0x0000000000000000-mapping.dmp
-
memory/4020-149-0x0000000000400000-0x000000000054A000-memory.dmpFilesize
1.3MB
-
memory/4044-148-0x0000000000000000-mapping.dmp
-
memory/4084-152-0x0000000000000000-mapping.dmp
-
memory/4088-181-0x0000000000000000-mapping.dmp